gfwleak/tango-certstore
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

支持CERTEX HSM接口调用

Browse Source 
读取配置表PXY_PROFILE_HSM
重构配置读取代码
This commit is contained in:
fengweihao
2020-11-12 15:56:34 +08:00
parent 9962458ad6
commit d452d7b5f2
15 changed files with 4201 additions and 388 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
common/CMakeLists.txt
View File

@@ -2,7 +2,7 @@ add_library(common syslogd/src/logging.cpp json/src/arraylist.c json/src/debug.c
json/src/json_object.c json/src/json_object_iterator.c json/src/json_tokener.c
json/src/json_util.c json/src/libjson.c json/src/linkhash.c
json/src/parse_flags.c json/src/printbuf.c json/src/json_checker.c json/src/random_seed.c
rt/src/rt_file.cpp rt/src/rt_stdlib.cpp rt/src/rt_string.cpp rt/src/rt_tmr.cpp rt/src/rt_time.cpp)
rt/src/rt_file.cpp rt/src/rt_stdlib.cpp rt/src/rt_string.cpp rt/src/rt_tmr.cpp rt/src/rt_time.cpp rt/src/rlib_load.cpp)
target_include_directories(common PUBLIC syslogd/include json/include rt/include)
target_link_libraries(common PUBLIC rt MESA_handle_logger breakpad_mini)

301
common/rt/include/pkcs11.h Normal file
View File

@@ -0,0 +1,301 @@
/* pkcs11.h include file for PKCS #11. */
/* $Revision: 1.4 $ */
/* License to copy and use this software is granted provided that it is
* identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
* (Cryptoki)" in all material mentioning or referencing this software.
* License is also granted to make and use derivative works provided that
* such works are identified as "derived from the RSA Security Inc. PKCS #11
* Cryptographic Token Interface (Cryptoki)" in all material mentioning or
* referencing the derived work.
* RSA Security Inc. makes no representations concerning either the
* merchantability of this software or the suitability of this software for
* any particular purpose. It is provided "as is" without express or implied
* warranty of any kind.
*/
#ifndef _PKCS11_H_
#define _PKCS11_H_ 1
#ifdef __cplusplus
extern "C" {
#endif
/* Before including this file (pkcs11.h) (or pkcs11t.h by
* itself), 6 platform-specific macros must be defined. These
* macros are described below, and typical definitions for them
* are also given. Be advised that these definitions can depend
* on both the platform and the compiler used (and possibly also
* on whether a Cryptoki library is linked statically or
* dynamically).
*
* In addition to defining these 6 macros, the packing convention
* for Cryptoki structures should be set. The Cryptoki
* convention on packing is that structures should be 1-byte
* aligned.
*
* If you're using Microsoft Developer Studio 5.0 to produce
* Win32 stuff, this might be done by using the following
* preprocessor directive before including pkcs11.h or pkcs11t.h:
*
* #pragma pack(push, cryptoki, 1)
*
* and using the following preprocessor directive after including
* pkcs11.h or pkcs11t.h:
*
* #pragma pack(pop, cryptoki)
*
* If you're using an earlier version of Microsoft Developer
* Studio to produce Win16 stuff, this might be done by using
* the following preprocessor directive before including
* pkcs11.h or pkcs11t.h:
*
* #pragma pack(1)
*
* In a UNIX environment, you're on your own for this. You might
* not need to do (or be able to do!) anything.
*
*
* Now for the macros:
*
*
* 1. CK_PTR: The indirection string for making a pointer to an
* object. It can be used like this:
*
* typedef CK_BYTE CK_PTR CK_BYTE_PTR;
*
* If you're using Microsoft Developer Studio 5.0 to produce
* Win32 stuff, it might be defined by:
*
* #define CK_PTR *
*
* If you're using an earlier version of Microsoft Developer
* Studio to produce Win16 stuff, it might be defined by:
*
* #define CK_PTR far *
*
* In a typical UNIX environment, it might be defined by:
*
* #define CK_PTR *
*
*
* 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
* an exportable Cryptoki library function definition out of a
* return type and a function name. It should be used in the
* following fashion to define the exposed Cryptoki functions in
* a Cryptoki library:
*
* CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
* CK_VOID_PTR pReserved
* )
* {
* ...
* }
*
* If you're using Microsoft Developer Studio 5.0 to define a
* function in a Win32 Cryptoki .dll, it might be defined by:
*
* #define CK_DEFINE_FUNCTION(returnType, name) \
* returnType __declspec(dllexport) name
*
* If you're using an earlier version of Microsoft Developer
* Studio to define a function in a Win16 Cryptoki .dll, it
* might be defined by:
*
* #define CK_DEFINE_FUNCTION(returnType, name) \
* returnType __export _far _pascal name
*
* In a UNIX environment, it might be defined by:
*
* #define CK_DEFINE_FUNCTION(returnType, name) \
* returnType name
*
*
* 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
* an importable Cryptoki library function declaration out of a
* return type and a function name. It should be used in the
* following fashion:
*
* extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
* CK_VOID_PTR pReserved
* );
*
* If you're using Microsoft Developer Studio 5.0 to declare a
* function in a Win32 Cryptoki .dll, it might be defined by:
*
* #define CK_DECLARE_FUNCTION(returnType, name) \
* returnType __declspec(dllimport) name
*
* If you're using an earlier version of Microsoft Developer
* Studio to declare a function in a Win16 Cryptoki .dll, it
* might be defined by:
*
* #define CK_DECLARE_FUNCTION(returnType, name) \
* returnType __export _far _pascal name
*
* In a UNIX environment, it might be defined by:
*
* #define CK_DECLARE_FUNCTION(returnType, name) \
* returnType name
*
*
* 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
* which makes a Cryptoki API function pointer declaration or
* function pointer type declaration out of a return type and a
* function name. It should be used in the following fashion:
*
* // Define funcPtr to be a pointer to a Cryptoki API function
* // taking arguments args and returning CK_RV.
* CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
*
* or
*
* // Define funcPtrType to be the type of a pointer to a
* // Cryptoki API function taking arguments args and returning
* // CK_RV, and then define funcPtr to be a variable of type
* // funcPtrType.
* typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
* funcPtrType funcPtr;
*
* If you're using Microsoft Developer Studio 5.0 to access
* functions in a Win32 Cryptoki .dll, in might be defined by:
*
* #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
* returnType __declspec(dllimport) (* name)
*
* If you're using an earlier version of Microsoft Developer
* Studio to access functions in a Win16 Cryptoki .dll, it might
* be defined by:
*
* #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
* returnType __export _far _pascal (* name)
*
* In a UNIX environment, it might be defined by:
*
* #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
* returnType (* name)
*
*
* 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
* a function pointer type for an application callback out of
* a return type for the callback and a name for the callback.
* It should be used in the following fashion:
*
* CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
*
* to declare a function pointer, myCallback, to a callback
* which takes arguments args and returns a CK_RV. It can also
* be used like this:
*
* typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
* myCallbackType myCallback;
*
* If you're using Microsoft Developer Studio 5.0 to do Win32
* Cryptoki development, it might be defined by:
*
* #define CK_CALLBACK_FUNCTION(returnType, name) \
* returnType (* name)
*
* If you're using an earlier version of Microsoft Developer
* Studio to do Win16 development, it might be defined by:
*
* #define CK_CALLBACK_FUNCTION(returnType, name) \
* returnType _far _pascal (* name)
*
* In a UNIX environment, it might be defined by:
*
* #define CK_CALLBACK_FUNCTION(returnType, name) \
* returnType (* name)
*
*
* 6. NULL_PTR: This macro is the value of a NULL pointer.
*
* In any ANSI/ISO C environment (and in many others as well),
* this should best be defined by
*
* #ifndef NULL_PTR
* #define NULL_PTR 0
* #endif
*/
/* All the various Cryptoki types and #define'd values are in the
* file pkcs11t.h. */
#pragma pack(push, cryptoki, 1)
#include "pkcs11t.h"
#pragma pack(pop, cryptoki)
#define __PASTE(x,y) x##y
/* ==============================================================
* Define the "extern" form of all the entry points.
* ==============================================================
*/
#define CK_NEED_ARG_LIST 1
#define CK_PKCS11_FUNCTION_INFO(name) \
extern CK_DECLARE_FUNCTION(CK_RV, name)
/* pkcs11f.h has all the information about the Cryptoki
* function prototypes. */
#include "pkcs11f.h"
#undef CK_NEED_ARG_LIST
#undef CK_PKCS11_FUNCTION_INFO
/* ==============================================================
* Define the typedef form of all the entry points. That is, for
* each Cryptoki function C_XXX, define a type CK_C_XXX which is
* a pointer to that kind of function.
* ==============================================================
*/
#define CK_NEED_ARG_LIST 1
#define CK_PKCS11_FUNCTION_INFO(name) \
typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
/* pkcs11f.h has all the information about the Cryptoki
* function prototypes. */
#include "pkcs11f.h"
#undef CK_NEED_ARG_LIST
#undef CK_PKCS11_FUNCTION_INFO
/* ==============================================================
* Define structed vector of entry points. A CK_FUNCTION_LIST
* contains a CK_VERSION indicating a library's Cryptoki version
* and then a whole slew of function pointers to the routines in
* the library. This type was declared, but not defined, in
* pkcs11t.h.
* ==============================================================
*/
#define CK_PKCS11_FUNCTION_INFO(name) \
__PASTE(CK_,name) name;
struct CK_FUNCTION_LIST {
CK_VERSION version; /* Cryptoki version */
/* Pile all the function pointers into the CK_FUNCTION_LIST. */
/* pkcs11f.h has all the information about the Cryptoki
* function prototypes. */
#include "pkcs11f.h"
};
#undef CK_PKCS11_FUNCTION_INFO
#undef __PASTE
#ifdef __cplusplus
}
#endif
#endif

912
common/rt/include/pkcs11f.h Normal file
View File

@@ -0,0 +1,912 @@
/* pkcs11f.h include file for PKCS #11. */
/* $Revision: 1.4 $ */
/* License to copy and use this software is granted provided that it is
* identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
* (Cryptoki)" in all material mentioning or referencing this software.
* License is also granted to make and use derivative works provided that
* such works are identified as "derived from the RSA Security Inc. PKCS #11
* Cryptographic Token Interface (Cryptoki)" in all material mentioning or
* referencing the derived work.
* RSA Security Inc. makes no representations concerning either the
* merchantability of this software or the suitability of this software for
* any particular purpose. It is provided "as is" without express or implied
* warranty of any kind.
*/
/* This header file contains pretty much everything about all the */
/* Cryptoki function prototypes. Because this information is */
/* used for more than just declaring function prototypes, the */
/* order of the functions appearing herein is important, and */
/* should not be altered. */
/* General-purpose */
/* C_Initialize initializes the Cryptoki library. */
CK_PKCS11_FUNCTION_INFO(C_Initialize)
#ifdef CK_NEED_ARG_LIST
(
CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets
* cast to CK_C_INITIALIZE_ARGS_PTR
* and dereferenced */
);
#endif
/* C_Finalize indicates that an application is done with the
* Cryptoki library. */
CK_PKCS11_FUNCTION_INFO(C_Finalize)
#ifdef CK_NEED_ARG_LIST
(
CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */
);
#endif
/* C_GetInfo returns general information about Cryptoki. */
CK_PKCS11_FUNCTION_INFO(C_GetInfo)
#ifdef CK_NEED_ARG_LIST
(
CK_INFO_PTR pInfo /* location that receives information */
);
#endif
/* C_GetFunctionList returns the function list. */
CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
#ifdef CK_NEED_ARG_LIST
(
CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to
* function list */
);
#endif
/* Slot and token management */
/* C_GetSlotList obtains a list of slots in the system. */
CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
#ifdef CK_NEED_ARG_LIST
(
CK_BBOOL tokenPresent, /* only slots with tokens? */
CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */
CK_ULONG_PTR pulCount /* receives number of slots */
);
#endif
/* C_GetSlotInfo obtains information about a particular slot in
* the system. */
CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
#ifdef CK_NEED_ARG_LIST
(
CK_SLOT_ID slotID, /* the ID of the slot */
CK_SLOT_INFO_PTR pInfo /* receives the slot information */
);
#endif
/* C_GetTokenInfo obtains information about a particular token
* in the system. */
CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
#ifdef CK_NEED_ARG_LIST
(
CK_SLOT_ID slotID, /* ID of the token's slot */
CK_TOKEN_INFO_PTR pInfo /* receives the token information */
);
#endif
/* C_GetMechanismList obtains a list of mechanism types
* supported by a token. */
CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
#ifdef CK_NEED_ARG_LIST
(
CK_SLOT_ID slotID, /* ID of token's slot */
CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */
CK_ULONG_PTR pulCount /* gets # of mechs. */
);
#endif
/* C_GetMechanismInfo obtains information about a particular
* mechanism possibly supported by a token. */
CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
#ifdef CK_NEED_ARG_LIST
(
CK_SLOT_ID slotID, /* ID of the token's slot */
CK_MECHANISM_TYPE type, /* type of mechanism */
CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */
);
#endif
/* C_InitToken initializes a token. */
CK_PKCS11_FUNCTION_INFO(C_InitToken)
#ifdef CK_NEED_ARG_LIST
/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
(
CK_SLOT_ID slotID, /* ID of the token's slot */
CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */
CK_ULONG ulPinLen, /* length in bytes of the PIN */
CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */
);
#endif
/* C_InitPIN initializes the normal user's PIN. */
CK_PKCS11_FUNCTION_INFO(C_InitPIN)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */
CK_ULONG ulPinLen /* length in bytes of the PIN */
);
#endif
/* C_SetPIN modifies the PIN of the user who is logged in. */
CK_PKCS11_FUNCTION_INFO(C_SetPIN)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_UTF8CHAR_PTR pOldPin, /* the old PIN */
CK_ULONG ulOldLen, /* length of the old PIN */
CK_UTF8CHAR_PTR pNewPin, /* the new PIN */
CK_ULONG ulNewLen /* length of the new PIN */
);
#endif
/* Session management */
/* C_OpenSession opens a session between an application and a
* token. */
CK_PKCS11_FUNCTION_INFO(C_OpenSession)
#ifdef CK_NEED_ARG_LIST
(
CK_SLOT_ID slotID, /* the slot's ID */
CK_FLAGS flags, /* from CK_SESSION_INFO */
CK_VOID_PTR pApplication, /* passed to callback */
CK_NOTIFY Notify, /* callback function */
CK_SESSION_HANDLE_PTR phSession /* gets session handle */
);
#endif
/* C_CloseSession closes a session between an application and a
* token. */
CK_PKCS11_FUNCTION_INFO(C_CloseSession)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession /* the session's handle */
);
#endif
/* C_CloseAllSessions closes all sessions with a token. */
CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
#ifdef CK_NEED_ARG_LIST
(
CK_SLOT_ID slotID /* the token's slot */
);
#endif
/* C_GetSessionInfo obtains information about the session. */
CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_SESSION_INFO_PTR pInfo /* receives session info */
);
#endif
/* C_GetOperationState obtains the state of the cryptographic operation
* in a session. */
CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pOperationState, /* gets state */
CK_ULONG_PTR pulOperationStateLen /* gets state length */
);
#endif
/* C_SetOperationState restores the state of the cryptographic
* operation in a session. */
CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pOperationState, /* holds state */
CK_ULONG ulOperationStateLen, /* holds state length */
CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */
CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */
);
#endif
/* C_Login logs a user into a token. */
CK_PKCS11_FUNCTION_INFO(C_Login)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_USER_TYPE userType, /* the user type */
CK_UTF8CHAR_PTR pPin, /* the user's PIN */
CK_ULONG ulPinLen /* the length of the PIN */
);
#endif
/* C_Logout logs a user out from a token. */
CK_PKCS11_FUNCTION_INFO(C_Logout)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession /* the session's handle */
);
#endif
/* Object management */
/* C_CreateObject creates a new object. */
CK_PKCS11_FUNCTION_INFO(C_CreateObject)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_ATTRIBUTE_PTR pTemplate, /* the object's template */
CK_ULONG ulCount, /* attributes in template */
CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */
);
#endif
/* C_CopyObject copies an object, creating a new object for the
* copy. */
CK_PKCS11_FUNCTION_INFO(C_CopyObject)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_OBJECT_HANDLE hObject, /* the object's handle */
CK_ATTRIBUTE_PTR pTemplate, /* template for new object */
CK_ULONG ulCount, /* attributes in template */
CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */
);
#endif
/* C_DestroyObject destroys an object. */
CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_OBJECT_HANDLE hObject /* the object's handle */
);
#endif
/* C_GetObjectSize gets the size of an object in bytes. */
CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_OBJECT_HANDLE hObject, /* the object's handle */
CK_ULONG_PTR pulSize /* receives size of object */
);
#endif
/* C_GetAttributeValue obtains the value of one or more object
* attributes. */
CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_OBJECT_HANDLE hObject, /* the object's handle */
CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */
CK_ULONG ulCount /* attributes in template */
);
#endif
/* C_SetAttributeValue modifies the value of one or more object
* attributes */
CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_OBJECT_HANDLE hObject, /* the object's handle */
CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */
CK_ULONG ulCount /* attributes in template */
);
#endif
/* C_FindObjectsInit initializes a search for token and session
* objects that match a template. */
CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */
CK_ULONG ulCount /* attrs in search template */
);
#endif
/* C_FindObjects continues a search for token and session
* objects that match a template, obtaining additional object
* handles. */
CK_PKCS11_FUNCTION_INFO(C_FindObjects)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */
CK_ULONG ulMaxObjectCount, /* max handles to get */
CK_ULONG_PTR pulObjectCount /* actual # returned */
);
#endif
/* C_FindObjectsFinal finishes a search for token and session
* objects. */
CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession /* the session's handle */
);
#endif
/* Encryption and decryption */
/* C_EncryptInit initializes an encryption operation. */
CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */
CK_OBJECT_HANDLE hKey /* handle of encryption key */
);
#endif
/* C_Encrypt encrypts single-part data. */
CK_PKCS11_FUNCTION_INFO(C_Encrypt)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pData, /* the plaintext data */
CK_ULONG ulDataLen, /* bytes of plaintext */
CK_BYTE_PTR pEncryptedData, /* gets ciphertext */
CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */
);
#endif
/* C_EncryptUpdate continues a multiple-part encryption
* operation. */
CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pPart, /* the plaintext data */
CK_ULONG ulPartLen, /* plaintext data len */
CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */
);
#endif
/* C_EncryptFinal finishes a multiple-part encryption
* operation. */
CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session handle */
CK_BYTE_PTR pLastEncryptedPart, /* last c-text */
CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */
);
#endif
/* C_DecryptInit initializes a decryption operation. */
CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */
CK_OBJECT_HANDLE hKey /* handle of decryption key */
);
#endif
/* C_Decrypt decrypts encrypted data in a single part. */
CK_PKCS11_FUNCTION_INFO(C_Decrypt)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pEncryptedData, /* ciphertext */
CK_ULONG ulEncryptedDataLen, /* ciphertext length */
CK_BYTE_PTR pData, /* gets plaintext */
CK_ULONG_PTR pulDataLen /* gets p-text size */
);
#endif
/* C_DecryptUpdate continues a multiple-part decryption
* operation. */
CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pEncryptedPart, /* encrypted data */
CK_ULONG ulEncryptedPartLen, /* input length */
CK_BYTE_PTR pPart, /* gets plaintext */
CK_ULONG_PTR pulPartLen /* p-text size */
);
#endif
/* C_DecryptFinal finishes a multiple-part decryption
* operation. */
CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pLastPart, /* gets plaintext */
CK_ULONG_PTR pulLastPartLen /* p-text size */
);
#endif
/* Message digesting */
/* C_DigestInit initializes a message-digesting operation. */
CK_PKCS11_FUNCTION_INFO(C_DigestInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism /* the digesting mechanism */
);
#endif
/* C_Digest digests data in a single part. */
CK_PKCS11_FUNCTION_INFO(C_Digest)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pData, /* data to be digested */
CK_ULONG ulDataLen, /* bytes of data to digest */
CK_BYTE_PTR pDigest, /* gets the message digest */
CK_ULONG_PTR pulDigestLen /* gets digest length */
);
#endif
/* C_DigestUpdate continues a multiple-part message-digesting
* operation. */
CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pPart, /* data to be digested */
CK_ULONG ulPartLen /* bytes of data to be digested */
);
#endif
/* C_DigestKey continues a multi-part message-digesting
* operation, by digesting the value of a secret key as part of
* the data already digested. */
CK_PKCS11_FUNCTION_INFO(C_DigestKey)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_OBJECT_HANDLE hKey /* secret key to digest */
);
#endif
/* C_DigestFinal finishes a multiple-part message-digesting
* operation. */
CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pDigest, /* gets the message digest */
CK_ULONG_PTR pulDigestLen /* gets byte count of digest */
);
#endif
/* Signing and MACing */
/* C_SignInit initializes a signature (private key encryption)
* operation, where the signature is (will be) an appendix to
* the data, and plaintext cannot be recovered from the
*signature. */
CK_PKCS11_FUNCTION_INFO(C_SignInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
CK_OBJECT_HANDLE hKey /* handle of signature key */
);
#endif
/* C_Sign signs (encrypts with private key) data in a single
* part, where the signature is (will be) an appendix to the
* data, and plaintext cannot be recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_Sign)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pData, /* the data to sign */
CK_ULONG ulDataLen, /* count of bytes to sign */
CK_BYTE_PTR pSignature, /* gets the signature */
CK_ULONG_PTR pulSignatureLen /* gets signature length */
);
#endif
/* C_SignUpdate continues a multiple-part signature operation,
* where the signature is (will be) an appendix to the data,
* and plaintext cannot be recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pPart, /* the data to sign */
CK_ULONG ulPartLen /* count of bytes to sign */
);
#endif
/* C_SignFinal finishes a multiple-part signature operation,
* returning the signature. */
CK_PKCS11_FUNCTION_INFO(C_SignFinal)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pSignature, /* gets the signature */
CK_ULONG_PTR pulSignatureLen /* gets signature length */
);
#endif
/* C_SignRecoverInit initializes a signature operation, where
* the data can be recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
CK_OBJECT_HANDLE hKey /* handle of the signature key */
);
#endif
/* C_SignRecover signs data in a single operation, where the
* data can be recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_SignRecover)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pData, /* the data to sign */
CK_ULONG ulDataLen, /* count of bytes to sign */
CK_BYTE_PTR pSignature, /* gets the signature */
CK_ULONG_PTR pulSignatureLen /* gets signature length */
);
#endif
/* Verifying signatures and MACs */
/* C_VerifyInit initializes a verification operation, where the
* signature is an appendix to the data, and plaintext cannot
* cannot be recovered from the signature (e.g. DSA). */
CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
CK_OBJECT_HANDLE hKey /* verification key */
);
#endif
/* C_Verify verifies a signature in a single-part operation,
* where the signature is an appendix to the data, and plaintext
* cannot be recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_Verify)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pData, /* signed data */
CK_ULONG ulDataLen, /* length of signed data */
CK_BYTE_PTR pSignature, /* signature */
CK_ULONG ulSignatureLen /* signature length*/
);
#endif
/* C_VerifyUpdate continues a multiple-part verification
* operation, where the signature is an appendix to the data,
* and plaintext cannot be recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pPart, /* signed data */
CK_ULONG ulPartLen /* length of signed data */
);
#endif
/* C_VerifyFinal finishes a multiple-part verification
* operation, checking the signature. */
CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pSignature, /* signature to verify */
CK_ULONG ulSignatureLen /* signature length */
);
#endif
/* C_VerifyRecoverInit initializes a signature verification
* operation, where the data is recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
CK_OBJECT_HANDLE hKey /* verification key */
);
#endif
/* C_VerifyRecover verifies a signature in a single-part
* operation, where the data is recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pSignature, /* signature to verify */
CK_ULONG ulSignatureLen, /* signature length */
CK_BYTE_PTR pData, /* gets signed data */
CK_ULONG_PTR pulDataLen /* gets signed data len */
);
#endif
/* Dual-function cryptographic operations */
/* C_DigestEncryptUpdate continues a multiple-part digesting
* and encryption operation. */
CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pPart, /* the plaintext data */
CK_ULONG ulPartLen, /* plaintext length */
CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
);
#endif
/* C_DecryptDigestUpdate continues a multiple-part decryption and
* digesting operation. */
CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pEncryptedPart, /* ciphertext */
CK_ULONG ulEncryptedPartLen, /* ciphertext length */
CK_BYTE_PTR pPart, /* gets plaintext */
CK_ULONG_PTR pulPartLen /* gets plaintext len */
);
#endif
/* C_SignEncryptUpdate continues a multiple-part signing and
* encryption operation. */
CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pPart, /* the plaintext data */
CK_ULONG ulPartLen, /* plaintext length */
CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
);
#endif
/* C_DecryptVerifyUpdate continues a multiple-part decryption and
* verify operation. */
CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_BYTE_PTR pEncryptedPart, /* ciphertext */
CK_ULONG ulEncryptedPartLen, /* ciphertext length */
CK_BYTE_PTR pPart, /* gets plaintext */
CK_ULONG_PTR pulPartLen /* gets p-text length */
);
#endif
/* Key management */
/* C_GenerateKey generates a secret key, creating a new key
* object. */
CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* key generation mech. */
CK_ATTRIBUTE_PTR pTemplate, /* template for new key */
CK_ULONG ulCount, /* # of attrs in template */
CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */
);
#endif
/* C_GenerateKeyPair generates a public-key/private-key pair,
* creating new key objects. */
CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session
* handle */
CK_MECHANISM_PTR pMechanism, /* key-gen
* mech. */
CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template
* for pub.
* key */
CK_ULONG ulPublicKeyAttributeCount, /* # pub.
* attrs. */
CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template
* for priv.
* key */
CK_ULONG ulPrivateKeyAttributeCount, /* # priv.
* attrs. */
CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub.
* key
* handle */
CK_OBJECT_HANDLE_PTR phPrivateKey /* gets
* priv. key
* handle */
);
#endif
/* C_WrapKey wraps (i.e., encrypts) a key. */
CK_PKCS11_FUNCTION_INFO(C_WrapKey)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */
CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */
CK_OBJECT_HANDLE hKey, /* key to be wrapped */
CK_BYTE_PTR pWrappedKey, /* gets wrapped key */
CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */
);
#endif
/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
* key object. */
CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */
CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */
CK_BYTE_PTR pWrappedKey, /* the wrapped key */
CK_ULONG ulWrappedKeyLen, /* wrapped key len */
CK_ATTRIBUTE_PTR pTemplate, /* new key template */
CK_ULONG ulAttributeCount, /* template length */
CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
);
#endif
/* C_DeriveKey derives a key from a base key, creating a new key
* object. */
CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session's handle */
CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */
CK_OBJECT_HANDLE hBaseKey, /* base key */
CK_ATTRIBUTE_PTR pTemplate, /* new key template */
CK_ULONG ulAttributeCount, /* template length */
CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
);
#endif
/* Random number generation */
/* C_SeedRandom mixes additional seed material into the token's
* random number generator. */
CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pSeed, /* the seed material */
CK_ULONG ulSeedLen /* length of seed material */
);
#endif
/* C_GenerateRandom generates random data. */
CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR RandomData, /* receives the random data */
CK_ULONG ulRandomLen /* # of bytes to generate */
);
#endif
/* Parallel function management */
/* C_GetFunctionStatus is a legacy function; it obtains an
* updated status of a function running in parallel with an
* application. */
CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession /* the session's handle */
);
#endif
/* C_CancelFunction is a legacy function; it cancels a function
* running in parallel. */
CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession /* the session's handle */
);
#endif
/* Functions added in for Cryptoki Version 2.01 or later */
/* C_WaitForSlotEvent waits for a slot event (token insertion,
* removal, etc.) to occur. */
CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
#ifdef CK_NEED_ARG_LIST
(
CK_FLAGS flags, /* blocking/nonblocking flag */
CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */
CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */
);
#endif

236
common/rt/include/pkcs11g.h Normal file
View File

@@ -0,0 +1,236 @@
//------------------------------------------------------------------------------
// Tumar CSP
// Copyright (c) 2009 Scientific Lab. Gamma Technologies. All rights reserved.
//
// Definitions for PKCS11 API
//------------------------------------------------------------------------------
#ifndef _PKCS11G_H_
#define _PKCS11G_H_
//------------------------------------------------------------------------------
#define CK_GAMMA_VENDOR_DEFINED 0x0F000000
//------------------------------------------------------------------------------
#define CKA_TUM_DEFINED (CKA_VENDOR_DEFINED | CK_GAMMA_VENDOR_DEFINED)
#define CKA_TUM_KEY_OID (CKA_TUM_DEFINED + 1)
#define CKA_TUM_KEY_STATE (CKA_TUM_DEFINED + 2)
//------------------------------------------------------------------------------
#define CKK_TUM_DEFINED (CKK_VENDOR_DEFINED | CK_GAMMA_VENDOR_DEFINED)
#define CKK_TUMAR (CKK_TUM_DEFINED + 1)
#define CKK_TUM_GOST28147 (CKK_TUM_DEFINED + 2)
#define CKK_TUM_GOST3410 (CKK_TUM_DEFINED + 3)
#define CKK_NONE 0xFFFFFFFF
//------------------------------------------------------------------------------
#define CKM_TUM_DEFINED (CKM_VENDOR_DEFINED | CK_GAMMA_VENDOR_DEFINED)
#define CKM_TUM_DH_DERIVE (CKM_TUM_DEFINED + 98)
#define CKM_TUM_DH_DERIVE_VKO (CKM_TUM_DEFINED + 99)
#define CKM_TUM_GR3410 (CKM_TUM_DEFINED + 100)
#define CKM_TUM_EXCH_KEY_GEN_DH256_1024_A (CKM_TUM_DEFINED + 502)
#define CKM_TUM_EXCH_KEY_GEN_DH256_1024_B (CKM_TUM_DEFINED + 503)
#define CKM_TUM_EXCH_KEY_GEN_DH256_1024_C (CKM_TUM_DEFINED + 504)
#define CKM_TUM_EXCH_KEY_GEN_DH512_512T (CKM_TUM_DEFINED + 506)
#define CKM_TUM_EXCH_KEY_GEN_EC256_512G_A (CKM_TUM_DEFINED + 510)
#define CKM_TUM_EXCH_KEY_GEN_EC256_512G_B (CKM_TUM_DEFINED + 511)
#define CKM_TUM_EXCH_KEY_GEN_EC256_512F (CKM_TUM_DEFINED + 512)
#define CKM_TUM_EXCH_KEY_GEN_EC384_768F (CKM_TUM_DEFINED + 514)
#define CKM_TUM_EXCH_KEY_GEN_EC521_1042F (CKM_TUM_DEFINED + 515)
#define CKM_RSA_PKCS_KEY_PAIR_GEN_X (CKM_TUM_DEFINED + 520)
#define CKM_TUM_SIGN_KEY_GEN_DH256_1024_T (CKM_TUM_DEFINED + 601)
#define CKM_TUM_SIGN_KEY_GEN_DH256_1024_A (CKM_TUM_DEFINED + 602)
#define CKM_TUM_SIGN_KEY_GEN_DH256_1024_B (CKM_TUM_DEFINED + 603)
#define CKM_TUM_SIGN_KEY_GEN_DH256_1024_C (CKM_TUM_DEFINED + 604)
#define CKM_TUM_SIGN_KEY_GEN_DH256_1024_D (CKM_TUM_DEFINED + 605)
#define CKM_TUM_SIGN_KEY_GEN_DH512_512T (CKM_TUM_DEFINED + 606)
#define CKM_TUM_SIGN_KEY_GEN_EC160_320F (CKM_TUM_DEFINED + 607)
#define CKM_TUM_SIGN_KEY_GEN_EC192_384F (CKM_TUM_DEFINED + 608)
#define CKM_TUM_SIGN_KEY_GEN_EC224_448F (CKM_TUM_DEFINED + 609)
#define CKM_TUM_SIGN_KEY_GEN_EC256_512G_A (CKM_TUM_DEFINED + 610)
#define CKM_TUM_SIGN_KEY_GEN_EC256_512G_B (CKM_TUM_DEFINED + 611)
#define CKM_TUM_SIGN_KEY_GEN_EC256_512G_C (CKM_TUM_DEFINED + 612)
#define CKM_TUM_SIGN_KEY_GEN_EC256_512F (CKM_TUM_DEFINED + 613)
#define CKM_TUM_SIGN_KEY_GEN_EC384_768F (CKM_TUM_DEFINED + 614)
#define CKM_TUM_SIGN_KEY_GEN_EC521_1042F (CKM_TUM_DEFINED + 615)
#define CKM_TUM_KEY_GEN_RC2 CKM_RC2_KEY_GEN
#define CKM_TUM_CRYPT_RC2_ECB CKM_RC2_ECB
#define CKM_TUM_CRYPT_RC2_OFB (CKM_TUM_DEFINED + 302)
#define CKM_TUM_CRYPT_RC2_CNT (CKM_TUM_DEFINED + 303)
#define CKM_TUM_CRYPT_RC2_CFB (CKM_TUM_DEFINED + 304)
#define CKM_TUM_CRYPT_RC2_CBC CKM_RC2_CBC
#define CKM_TUM_CRYPT_RC2_CBC_PAD CKM_RC2_CBC_PAD
#define CKM_TUM_CRYPT_RC2_MAC CKM_RC2_MAC
#define CKM_TUM_CRYPT_RC2_MAC_GENERAL CKM_RC2_MAC_GENERAL
#define CKM_TUM_KEY_GEN_RC4 CKM_RC4_KEY_GEN
#define CKM_TUM_CRYPT_RC4 CKM_RC4
#define CKM_TUM_KEY_GEN_RC5 CKM_RC5_KEY_GEN
#define CKM_TUM_CRYPT_RC5_ECB CKM_RC5_ECB
#define CKM_TUM_CRYPT_RC5_OFB (CKM_TUM_DEFINED + 322)
#define CKM_TUM_CRYPT_RC5_CNT (CKM_TUM_DEFINED + 323)
#define CKM_TUM_CRYPT_RC5_CFB (CKM_TUM_DEFINED + 324)
#define CKM_TUM_CRYPT_RC5_CBC CKM_RC5_CBC
#define CKM_TUM_CRYPT_RC5_CBC_PAD CKM_RC5_CBC_PAD
#define CKM_TUM_CRYPT_RC5_MAC CKM_RC5_MAC
#define CKM_TUM_CRYPT_RC5_MAC_GENERAL CKM_RC5_MAC_GENERAL
#define CKM_TUM_KEY_GEN_DES CKM_DES_KEY_GEN
#define CKM_TUM_CRYPT_DES_ECB CKM_DES_ECB
#define CKM_TUM_CRYPT_DES_OFB (CKM_TUM_DEFINED + 332)
#define CKM_TUM_CRYPT_DES_CNT (CKM_TUM_DEFINED + 333)
#define CKM_TUM_CRYPT_DES_CFB (CKM_TUM_DEFINED + 334)
#define CKM_TUM_CRYPT_DES_CBC CKM_DES_CBC
#define CKM_TUM_CRYPT_DES_CBC_PAD CKM_DES_CBC_PAD
#define CKM_TUM_CRYPT_DES_MAC CKM_DES_MAC
#define CKM_TUM_CRYPT_DES_MAC_GENERAL CKM_DES_MAC_GENERAL
#define CKM_TUM_CRYPT_DES_X919_MAC (CKM_TUM_DEFINED + 339)
#define CKM_TUM_CRYPT_DES_X919_MAC_GENERAL (CKM_TUM_DEFINED + 340)
#define CKM_TUM_KEY_GEN_DES2 CKM_DES2_KEY_GEN
#define CKM_TUM_KEY_GEN_DES3 CKM_DES3_KEY_GEN
#define CKM_TUM_CRYPT_DES3_ECB CKM_DES3_ECB
#define CKM_TUM_CRYPT_DES3_OFB (CKM_TUM_DEFINED + 352)
#define CKM_TUM_CRYPT_DES3_CNT (CKM_TUM_DEFINED + 353)
#define CKM_TUM_CRYPT_DES3_CFB (CKM_TUM_DEFINED + 354)
#define CKM_TUM_CRYPT_DES3_CBC CKM_DES3_CBC
#define CKM_TUM_CRYPT_DES3_CBC_PAD CKM_DES3_CBC_PAD
#define CKM_TUM_CRYPT_DES3_MAC CKM_DES3_MAC
#define CKM_TUM_CRYPT_DES3_MAC_GENERAL CKM_DES3_MAC_GENERAL
#define CKM_TUM_KEY_GEN_AES CKM_AES_KEY_GEN
#define CKM_TUM_CRYPT_AES_ECB CKM_AES_ECB
#define CKM_TUM_CRYPT_AES_OFB (CKM_TUM_DEFINED + 102)
#define CKM_TUM_CRYPT_AES_CNT CKM_AES_CTR
#define CKM_TUM_CRYPT_AES_CFB (CKM_TUM_DEFINED + 104)
#define CKM_TUM_CRYPT_AES_CBC CKM_AES_CBC
#define CKM_TUM_CRYPT_AES_CBC_PAD CKM_AES_CBC_PAD
#define CKM_TUM_CRYPT_AES_MAC CKM_AES_MAC
#define CKM_TUM_CRYPT_AES_MAC_GENERAL CKM_AES_MAC_GENERAL
#define CKM_TUM_KEY_GEN_GOST (CKM_TUM_DEFINED + 95)
#define CKM_TUM_KEY_GEN_TUMAR (CKM_TUM_DEFINED + 96)
#define CKM_TUM_CRYPT_TUMAR_ECB (CKM_TUM_DEFINED + 111)
#define CKM_TUM_CRYPT_TUMAR_OFB (CKM_TUM_DEFINED + 112)
#define CKM_TUM_CRYPT_TUMAR_CNT (CKM_TUM_DEFINED + 113)
#define CKM_TUM_CRYPT_TUMAR_CFB (CKM_TUM_DEFINED + 114)
#define CKM_TUM_CRYPT_TUMAR_CBC (CKM_TUM_DEFINED + 115)
#define CKM_TUM_CRYPT_TUMAR_CBC_PAD (CKM_TUM_DEFINED + 116)
#define CKM_TUM_CRYPT_TUMAR_MAC (CKM_TUM_DEFINED + 117)
#define CKM_TUM_CRYPT_TUMAR_MAC_GENERAL (CKM_TUM_DEFINED + 118)
#define CKM_TUM_CRYPT_GOST_G_ECB (CKM_TUM_DEFINED + 121)
#define CKM_TUM_CRYPT_GOST_G_OFB (CKM_TUM_DEFINED + 122)
#define CKM_TUM_CRYPT_GOST_G_CNT (CKM_TUM_DEFINED + 123)
#define CKM_TUM_CRYPT_GOST_G_CFB (CKM_TUM_DEFINED + 124)
#define CKM_TUM_CRYPT_GOST_G_CBC (CKM_TUM_DEFINED + 125)
#define CKM_TUM_CRYPT_GOST_G_CBC_PAD (CKM_TUM_DEFINED + 126)
#define CKM_TUM_CRYPT_GOST_G_MAC (CKM_TUM_DEFINED + 127)
#define CKM_TUM_CRYPT_GOST_G_MAC_GENERAL (CKM_TUM_DEFINED + 128)
#define CKM_TUM_CRYPT_GOST_G_MAC_OLD (CKM_TUM_DEFINED + 298)
#define CKM_TUM_CRYPT_GOST_G_MAC_OLD_GENERAL (CKM_TUM_DEFINED + 299)
#define CKM_TUM_CRYPT_GOST_A_ECB (CKM_TUM_DEFINED + 131)
#define CKM_TUM_CRYPT_GOST_A_OFB (CKM_TUM_DEFINED + 132)
#define CKM_TUM_CRYPT_GOST_A_CNT (CKM_TUM_DEFINED + 133)
#define CKM_TUM_CRYPT_GOST_A_CFB (CKM_TUM_DEFINED + 134)
#define CKM_TUM_CRYPT_GOST_A_CBC (CKM_TUM_DEFINED + 135)
#define CKM_TUM_CRYPT_GOST_A_CBC_PAD (CKM_TUM_DEFINED + 136)
#define CKM_TUM_CRYPT_GOST_A_MAC (CKM_TUM_DEFINED + 137)
#define CKM_TUM_CRYPT_GOST_A_MAC_GENERAL (CKM_TUM_DEFINED + 138)
#define CKM_TUM_CRYPT_GOST_B_ECB (CKM_TUM_DEFINED + 141)
#define CKM_TUM_CRYPT_GOST_B_OFB (CKM_TUM_DEFINED + 142)
#define CKM_TUM_CRYPT_GOST_B_CNT (CKM_TUM_DEFINED + 143)
#define CKM_TUM_CRYPT_GOST_B_CFB (CKM_TUM_DEFINED + 144)
#define CKM_TUM_CRYPT_GOST_B_CBC (CKM_TUM_DEFINED + 145)
#define CKM_TUM_CRYPT_GOST_B_CBC_PAD (CKM_TUM_DEFINED + 146)
#define CKM_TUM_CRYPT_GOST_B_MAC (CKM_TUM_DEFINED + 147)
#define CKM_TUM_CRYPT_GOST_B_MAC_GENERAL (CKM_TUM_DEFINED + 148)
#define CKM_TUM_CRYPT_GOST_C_ECB (CKM_TUM_DEFINED + 151)
#define CKM_TUM_CRYPT_GOST_C_OFB (CKM_TUM_DEFINED + 152)
#define CKM_TUM_CRYPT_GOST_C_CNT (CKM_TUM_DEFINED + 153)
#define CKM_TUM_CRYPT_GOST_C_CFB (CKM_TUM_DEFINED + 154)
#define CKM_TUM_CRYPT_GOST_C_CBC (CKM_TUM_DEFINED + 155)
#define CKM_TUM_CRYPT_GOST_C_CBC_PAD (CKM_TUM_DEFINED + 156)
#define CKM_TUM_CRYPT_GOST_C_MAC (CKM_TUM_DEFINED + 157)
#define CKM_TUM_CRYPT_GOST_C_MAC_GENERAL (CKM_TUM_DEFINED + 158)
#define CKM_TUM_CRYPT_GOST_D_ECB (CKM_TUM_DEFINED + 161)
#define CKM_TUM_CRYPT_GOST_D_OFB (CKM_TUM_DEFINED + 162)
#define CKM_TUM_CRYPT_GOST_D_CNT (CKM_TUM_DEFINED + 163)
#define CKM_TUM_CRYPT_GOST_D_CFB (CKM_TUM_DEFINED + 164)
#define CKM_TUM_CRYPT_GOST_D_CBC (CKM_TUM_DEFINED + 165)
#define CKM_TUM_CRYPT_GOST_D_CBC_PAD (CKM_TUM_DEFINED + 166)
#define CKM_TUM_CRYPT_GOST_D_MAC (CKM_TUM_DEFINED + 167)
#define CKM_TUM_CRYPT_GOST_D_MAC_GENERAL (CKM_TUM_DEFINED + 168)
#define CKM_TUM_CRYPT_ELGAMAL (CKM_TUM_DEFINED + 190)
#define CKM_TUM_CRYPT_ELGAMAL_PAD (CKM_TUM_DEFINED + 191)
#define CKM_TUM_HASH_MD2 CKM_MD2
#define CKM_TUM_HASH_MD2_HMAC CKM_MD2_HMAC
#define CKM_TUM_HASH_MD2_HMAC_GENERAL CKM_MD2_HMAC_GENERAL
#define CKM_TUM_HASH_MD4 (CKM_TUM_DEFINED + 206)
#define CKM_TUM_HASH_MD4_HMAC (CKM_TUM_DEFINED + 207)
#define CKM_TUM_HASH_MD4_HMAC_GENERAL (CKM_TUM_DEFINED + 208)
#define CKM_TUM_HASH_MD5 CKM_MD5
#define CKM_TUM_HASH_MD5_HMAC CKM_MD5_HMAC
#define CKM_TUM_HASH_MD5_HMAC_GENERAL CKM_MD5_HMAC_GENERAL
#define CKM_TUM_HASH_SHA_1 CKM_SHA_1
#define CKM_TUM_HASH_SHA_1_HMAC CKM_SHA_1_HMAC
#define CKM_TUM_HASH_SHA_1_HMAC_GENERAL CKM_SHA_1_HMAC_GENERAL
#define CKM_TUM_HASH_SHA_256 CKM_SHA256
#define CKM_TUM_HASH_SHA_256_HMAC CKM_SHA256_HMAC
#define CKM_TUM_HASH_SHA_256_HMAC_GENERAL CKM_SHA256_HMAC_GENERAL
#define CKM_TUM_HASH_SHA_384 CKM_SHA384
#define CKM_TUM_HASH_SHA_384_HMAC CKM_SHA384_HMAC
#define CKM_TUM_HASH_SHA_384_HMAC_GENERAL CKM_SHA384_HMAC_GENERAL
#define CKM_TUM_HASH_SHA_512 CKM_SHA512
#define CKM_TUM_HASH_SHA_512_HMAC CKM_SHA512_HMAC
#define CKM_TUM_HASH_SHA_512_HMAC_GENERAL CKM_SHA512_HMAC_GENERAL
#define CKM_TUM_HASH_TUMAR (CKM_TUM_DEFINED + 261)
#define CKM_TUM_HASH_GOST (CKM_TUM_DEFINED + 271)
#define CKM_TUM_HASH_GOST_HMAC (CKM_TUM_DEFINED + 272)
#define CKM_TUM_HASH_GOST_HMAC_GENERAL (CKM_TUM_DEFINED + 273)
#define CKM_TUM_HASH_GOSTCP (CKM_TUM_DEFINED + 281)
#define CKM_TUM_HASH_GOSTCP_HMAC (CKM_TUM_DEFINED + 282)
#define CKM_TUM_HASH_GOSTCP_HMAC_GENERAL (CKM_TUM_DEFINED + 283)
#define CKM_TUM_SIGN_R3410 (CKM_TUM_DEFINED + 700)
#define CKM_TUM_SIGN_MD2_R3410 (CKM_TUM_DEFINED + 701)
#define CKM_TUM_SIGN_MD4_R3410 (CKM_TUM_DEFINED + 702)
#define CKM_TUM_SIGN_MD5_R3410 (CKM_TUM_DEFINED + 703)
#define CKM_TUM_SIGN_SHA_1_R3410 (CKM_TUM_DEFINED + 704)
#define CKM_TUM_SIGN_SHA_256_R3410 (CKM_TUM_DEFINED + 705)
#define CKM_TUM_SIGN_SHA_384_R3410 (CKM_TUM_DEFINED + 706)
#define CKM_TUM_SIGN_SHA_512_R3410 (CKM_TUM_DEFINED + 707)
#define CKM_TUM_SIGN_TUMAR_R3410 (CKM_TUM_DEFINED + 708)
#define CKM_TUM_SIGN_GOST3411_R3410 (CKM_TUM_DEFINED + 709)
#define CKM_TUM_SIGN_GOST3411CP_R3410 (CKM_TUM_DEFINED + 710)
#define CKM_TUM_SIGN_MD2_RSA CKM_MD2_RSA_PKCS
#define CKM_TUM_SIGN_MD4_RSA (CKM_TUM_DEFINED + 802)
#define CKM_TUM_SIGN_MD5_RSA CKM_MD5_RSA_PKCS
#define CKM_TUM_SIGN_SHA_1_RSA CKM_SHA1_RSA_PKCS
#define CKM_TUM_SIGN_SHA_256_RSA CKM_SHA256_RSA_PKCS
#define CKM_TUM_SIGN_SHA_384_RSA CKM_SHA384_RSA_PKCS
#define CKM_TUM_SIGN_SHA_512_RSA CKM_SHA512_RSA_PKCS
#define CKM_TUM_SIGN_TUMAR_RSA (CKM_TUM_DEFINED + 808)
#define CKM_TUM_SIGN_GOST3411_RSA (CKM_TUM_DEFINED + 809)
#define CKM_TUM_SIGN_GOST3411CP_RSA (CKM_TUM_DEFINED + 810)
//------------------------------------------------------------------------------
#endif

1909
common/rt/include/pkcs11t.h Normal file
View File

File diff suppressed because it is too large Load Diff

45
common/rt/include/rlib_load.h Normal file
View File

@@ -0,0 +1,45 @@
//------------------------------------------------------------------------------
// RCSP Project
// Copyright (c) 2007 Scientific Lab. Gamma Technologies. All rights reserved.
//
// R-CSP/R-PKCS11 LIB Loader
//------------------------------------------------------------------------------
#ifndef __RLIB_LOAD_H
#define __RLIB_LOAD_H
//------------------------------------------------------------------------------
#define LOADLIBRARY
//------------------------------------------------------------------------------
#ifndef CK_PTR
#define CK_PTR *
#endif
#ifndef NULL_PTR
#define NULL_PTR 0
#endif
#ifndef CK_CALLBACK_FUNCTION
#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
#endif
#ifndef CK_DEFINE_FUNCTION
#define CK_DEFINE_FUNCTION(returnType, name) returnType name
#endif
#ifndef CK_DECLARE_FUNCTION
#define CK_DECLARE_FUNCTION(returnType, name) returnType name
#endif
#ifndef CK_DECLARE_FUNCTION_POINTER
#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
#endif
#pragma pack(push, cryptoki, 1)
#include "pkcs11.h"
#pragma pack(pop, cryptoki)
//------------------------------------------------------------------------------
#define CSP_REGKEY "SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Tumar CSP"
#define CAPI_LIB_PATH ""
#define PKCS_LIB_PATH ""
//------------------------------------------------------------------------------
int LoadPkcsLib (char *dllpkcs);
void FreePkcsLib(void);
int do_GetFunctionList( void );
//------------------------------------------------------------------------------
extern CK_C_GetFunctionList FC_GetFunctionList;
//------------------------------------------------------------------------------
#endif

220
common/rt/src/rlib_load.cpp Normal file
View File

@@ -0,0 +1,220 @@
//------------------------------------------------------------------------------
// RCSP Project
// Copyright (c) 2007 Scientific Lab. Gamma Technologies. All rights reserved.
//
// R-CSP/R-PKCS11 LIB Loader
//------------------------------------------------------------------------------
#include <stdio.h>
#include <string.h>
#include <dlfcn.h>
#include "rlib_load.h"
//------------------------------------------------------------------------------
#ifndef F_CPAcquireContext
#define F_CPAcquireContext 1
#define F_CPGetProvParam 2
#define F_CPReleaseContext 3
#define F_CPSetProvParam 4
#define F_CPDeriveKey 5
#define F_CPDestroyKey 6
#define F_CPDuplicateKey 7
#define F_CPExportKey 8
#define F_CPGenKey 9
#define F_CPGenRandom 10
#define F_CPGetKeyParam 11
#define F_CPGetUserKey 12
#define F_CPImportKey 13
#define F_CPSetKeyParam 14
#define F_CPDecrypt 15
#define F_CPEncrypt 16
#define F_CPCreateHash 17
#define F_CPDestroyHash 18
#define F_CPDuplicateHash 19
#define F_CPGetHashParam 20
#define F_CPHashData 21
#define F_CPHashSessionKey 22
#define F_CPSetHashParam 23
#define F_CPSignHash 24
#define F_CPVerifySignature 25
#endif
//------------------------------------------------------------------------------
#ifndef F_Initialize
#define F_Initialize 31
#define F_Finalize 32
#define F_GetInfo 33
#define F_GetFunctionList 34
#define F_GetSlotList 35
#define F_GetSlotInfo 36
#define F_GetTokenInfo 37
#define F_GetMechanismList 38
#define F_GetMechanismInfo 39
#define F_InitToken 40
#define F_InitPIN 41
#define F_SetPIN 42
#define F_OpenSession 43
#define F_CloseSession 44
#define F_CloseAllSessions 45
#define F_GetSessionInfo 46
#define F_GetOperationState 47
#define F_SetOperationState 48
#define F_Login 49
#define F_Logout 50
#define F_CreateObject 51
#define F_CopyObject 52
#define F_DestroyObject 53
#define F_GetObjectSize 54
#define F_GetAttributeValue 55
#define F_SetAttributeValue 56
#define F_FindObjectsInit 57
#define F_FindObjects 58
#define F_FindObjectsFinal 59
#define F_EncryptInit 60
#define F_Encrypt 61
#define F_EncryptUpdate 62
#define F_EncryptFinal 63
#define F_DecryptInit 64
#define F_Decrypt 65
#define F_DecryptUpdate 66
#define F_DecryptFinal 67
#define F_DigestInit 68
#define F_Digest 69
#define F_DigestUpdate 70
#define F_DigestKey 71
#define F_DigestFinal 72
#define F_SignInit 73
#define F_Sign 74
#define F_SignUpdate 75
#define F_SignFinal 76
#define F_SignRecoverInit 77
#define F_SignRecover 78
#define F_VerifyInit 79
#define F_Verify 80
#define F_VerifyUpdate 81
#define F_VerifyFinal 82
#define F_VerifyRecoverInit 83
#define F_VerifyRecover 84
#define F_DigestEncryptUpdate 85
#define F_DecryptDigestUpdate 86
#define F_SignEncryptUpdate 87
#define F_DecryptVerifyUpdate 88
#define F_GenerateKey 89
#define F_GenerateKeyPair 90
#define F_WrapKey 91
#define F_UnwrapKey 92
#define F_DeriveKey 93
#define F_SeedRandom 94
#define F_GenerateRandom 95
#define F_GetFunctionStatus 96
#define F_CancelFunction 97
#define F_WaitForSlotEvent 98
#endif
#define HINSTANCE void*
//------------------------------------------------------------------------------
CK_C_Initialize FC_Initialize;
CK_C_GetFunctionList FC_GetFunctionList;
//------------------------------------------------------------------------------
HINSTANCE load_lib(char *lib)
{
return dlopen(lib, RTLD_LAZY | RTLD_LOCAL);
}
//------------------------------------------------------------------------------
void* get_sym(HINSTANCE inst, const char *proc)
{
return (void*)dlsym(inst,proc);
}
//------------------------------------------------------------------------------
void free_lib(HINSTANCE inst)
{
dlclose(inst);
}
//------------------------------------------------------------------------------
int Get_PKCS_Fancs(HINSTANCE hLib)
{
FC_GetFunctionList =(CK_C_GetFunctionList) get_sym(hLib,"C_GetFunctionList");
if (!FC_GetFunctionList)
return F_GetFunctionList;
return 0;
}
//------------------------------------------------------------------------------
HINSTANCE hPkcsLib=NULL;
//------------------------------------------------------------------------------
#ifdef WIND32
int GetCapiPath(char *path)
{
HKEY hKey;
DWORD Disposition,DataSize;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,CSP_REGKEY,0,KEY_READ,&hKey)!=ERROR_SUCCESS)
return 1;
path[0]=0;
DataSize=255;
RegQueryValueEx(hKey,"Image Path",0,&Disposition,(BYTE *)path,&DataSize);
RegCloseKey(hKey);
if (!strlen(path))
return 2;
return 0;
}
#else
int GetCapiPath(char *path)
{
strcpy(path,CAPI_LIB_PATH);
return 0;
}
#endif
//------------------------------------------------------------------------------
#ifdef WIND32
int GetPkcsPath(char *path)
{
return GetCapiPath(path);
}
#else
int GetPkcsPath(char *path)
{
strcpy(path,PKCS_LIB_PATH);
return 0;
}
#endif
//------------------------------------------------------------------------------
int LoadPkcsLib(char *dllpkcs)
{
int code;
char path[260];
if (hPkcsLib)
return 0;
if ((dllpkcs)&&(*dllpkcs))
strcpy(path,dllpkcs);
else if (GetPkcsPath(path))
return -1;
hPkcsLib=load_lib(path);
if (!hPkcsLib)
return -2;
code=Get_PKCS_Fancs(hPkcsLib);
if(code)
{
free_lib(hPkcsLib);
hPkcsLib=NULL;
}
return code;
}
//------------------------------------------------------------------------------
void FreePkcsLib(void)
{
if (hPkcsLib)
{
free_lib(hPkcsLib);
hPkcsLib=NULL;
}
}
//------------------------------------------------------------------------------
int do_GetFunctionList( void )
{
CK_RV rc = 0;
extern CK_FUNCTION_LIST *funcs;
rc=FC_GetFunctionList(&funcs);
if (rc != CKR_OK) {printf ("err %x\n",rc); return rc;}
return 0;
}
//------------------------------------------------------------------------------

65
program/include/cert_conf.h
View File

@@ -18,6 +18,8 @@
#include <MESA/Maat_rule.h>
#include <MESA/MESA_htable.h>
#include "rlib_load.h"
#define CT_PATH_MAX 256
#define CT_ARRARY_LEN (CT_PATH_MAX/2)
#define CT_STRING_MAX 1024
@@ -38,57 +40,58 @@ struct tfe_http_request{
struct pxy_obj_keyring{
int keyring_id;
int use_hsm;
int slot_id;
atomic64_t ref_cnt;
uint64_t expire_time;
time_t op_time;
EVP_PKEY *key;
X509 *issuer;
char v3_ctl[CT_STRING_MAX];
char keyring_type[CT_ARRARY_LEN];
char public_algo[CT_STRING_MAX];
char v3_ctl[CT_STRING_MAX];
int is_send;
int is_valid;
time_t op_time;
atomic64_t ref_cnt;
CK_SESSION_HANDLE session;
STACK_OF(X509) *stack_ca;
};
struct _initer_addr_t{
uint16_t e_port; /*libevent prot*/
uint16_t maat_port; /*maat redis port*/
char maat_ip[16]; /*maat redis ip */
int dbindex; /*maat redis dbindex*/
uint16_t store_port; /*store redis port */
char store_ip[16]; /*store redis ip*/
uint16_t statsd_port;
char statsd_server[16];
struct pxy_profile_hsm
{
int profile_id;
int ref_cnt;
char *server_ip;
char *passwd;
pthread_mutex_t lock;
};
struct ntc_maat_t{
unsigned int maat_json_switch;
unsigned int effective_interval_s;
char info_path[128];
char pxy_path[128];
char inc_cfg_dir[128];
char full_cfg_dir[128];
enum kerying_profile_table
{
POLICY_PROFLIE_TABLE_KERING,
POLICY_PROFILE_TABLE_HSM,
POLICY_PROFILE_TABLE_MAX
};
struct config_bucket_t{
Maat_feather_t feather;
int table_id;
struct cert_store_policy{
int mode;
unsigned int enable;
unsigned int local_debug;
unsigned int thread_nu;
unsigned int expire_after;
Maat_feather_t feather;
int plolicy_table_id[POLICY_PROFILE_TABLE_MAX];
uint16_t e_port;
uint16_t store_port;
char store_ip[46];
char ca_path[128];
char uninsec_path[128];
struct ntc_maat_t maat_t;
struct _initer_addr_t addr_t;
};
extern struct config_bucket_t *cfg_instanec();
extern struct cert_store_policy * g_certstore_policy;
void cert_store_init_config(const char *config);
void cert_store_init_config(struct cert_store_policy *certstore_policy, const char *main_profile);
#endif

2
program/include/cert_session.h
View File

@@ -103,7 +103,7 @@ typedef struct {
} x509_forge_thread;
int cert_store_session_init();
int cert_store_session_init(struct cert_store_policy *certstore_policy, const char *main_profile);
void sigproc(int __attribute__((__unused__))sig);

129
program/src/cert_conf.cpp
View File

@@ -18,51 +18,41 @@
#include <MESA/MESA_prof_load.h>
struct config_bucket_t certConfig;
struct config_bucket_t *cfg_instanec()
{
return &certConfig;
}
static int load_system_config(const char *config)
static int load_system_config(struct cert_store_policy *certstore_policy, const char *main_profile)
{
int xret = -1;
struct config_bucket_t *rte = cfg_instanec();
xret = MESA_load_profile_uint_nodef(config, "CONFIG", "thread-nu", &(rte->thread_nu));
xret = MESA_load_profile_uint_nodef(main_profile, "CONFIG", "thread-nu", &(certstore_policy->thread_nu));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of running threads failed");
}
xret = MESA_load_profile_int_def(config, "CONFIG", "mode", &(rte->mode), 0);
xret = MESA_load_profile_int_def(main_profile, "CONFIG", "mode", &(certstore_policy->mode), 0);
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of run mode failed");
}
xret = MESA_load_profile_uint_nodef(config, "CONFIG", "expire_after", &(rte->expire_after));
xret = MESA_load_profile_uint_nodef(main_profile, "CONFIG", "expire_after", &(certstore_policy->expire_after));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of valid time failed");
}
xret = MESA_load_profile_string_nodef(config, "CONFIG", "ca_path", rte->ca_path, 128);
if (xret <0 && rt_file_exsit(rte->ca_path)){
xret = MESA_load_profile_string_nodef(main_profile, "CONFIG", "ca_path", certstore_policy->ca_path, 128);
if (xret <0 && rt_file_exsit(certstore_policy->ca_path)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the ca path failed or the (%s) does not exist",
rte->ca_path);
certstore_policy->ca_path);
goto finish;
}
xret = MESA_load_profile_uint_nodef(config, "CONFIG", "local_debug", &(rte->local_debug));
xret = MESA_load_profile_uint_nodef(main_profile, "CONFIG", "local_debug", &(certstore_policy->local_debug));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of local_debug failed");
}
xret = MESA_load_profile_string_nodef(config, "CONFIG", "untrusted_ca_path", rte->uninsec_path, 128);
if (xret <0 && rt_file_exsit(rte->uninsec_path)){
xret = MESA_load_profile_string_nodef(main_profile, "CONFIG", "untrusted_ca_path", certstore_policy->uninsec_path, 128);
if (xret <0 && rt_file_exsit(certstore_policy->uninsec_path)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the untrusted ca path failed or the (%s) does not exist",
rte->ca_path);
certstore_policy->ca_path);
goto finish;
}
@@ -70,55 +60,23 @@ finish:
return xret;
}
static int load_module_config(const char *config)
static int load_module_config(struct cert_store_policy *certstore_policy, const char *main_profile)
{
int xret = -1;
struct config_bucket_t *rte = cfg_instanec();
xret = MESA_load_profile_short_nodef(config, "LIBEVENT", "port", (short *)&(rte->addr_t.e_port));
xret = MESA_load_profile_short_nodef(main_profile, "LIBEVENT", "port", (short *)&(certstore_policy->e_port));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Libevent Port invalid");
goto finish;
}
xret = MESA_load_profile_string_nodef(config, "MAAT_REDIS", "ip", rte->addr_t.maat_ip, 16);
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Maat redis ip invalid");
goto finish;
}
xret = MESA_load_profile_short_nodef(config, "MAAT_REDIS", "port", (short *)&(rte->addr_t.maat_port));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Maat redis port invalid");
goto finish;
}
xret = MESA_load_profile_short_nodef(config, "MAAT_REDIS", "dbindex", (short *)&(rte->addr_t.dbindex));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Maat redis dbindex invalid");
goto finish;
}
xret = MESA_load_profile_string_nodef(config, "CERTSTORE_REDIS", "ip", rte->addr_t.store_ip, 16);
xret = MESA_load_profile_string_nodef(main_profile, "CERTSTORE_REDIS", "ip", certstore_policy->store_ip, 16);
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Certsotre redis ip invalid");
goto finish;
}
xret = MESA_load_profile_short_nodef(config, "CERTSTORE_REDIS", "port", (short *)&(rte->addr_t.store_port));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Certsotre redis port invalid");
goto finish;
}
xret = MESA_load_profile_string_nodef(config, "stat", "statsd_server", rte->addr_t.statsd_server, 16);
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Certsotre redis ip invalid");
goto finish;
}
xret = MESA_load_profile_short_nodef(config, "stat", "statsd_port", (short *)&(rte->addr_t.statsd_port));
xret = MESA_load_profile_short_nodef(main_profile, "CERTSTORE_REDIS", "port", (short *)&(certstore_policy->store_port));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Certsotre redis port invalid");
goto finish;
@@ -127,61 +85,10 @@ finish:
return xret;
}
static int load_maat_config(const char *config)
void cert_store_init_config(struct cert_store_policy *certstore_policy, const char *main_profile)
{
int xret = -1;
load_system_config(certstore_policy, main_profile);
struct ntc_maat_t *maat_t = &cfg_instanec()->maat_t;
xret = MESA_load_profile_uint_nodef(config, "MAAT", "maat_json_switch", &(maat_t->maat_json_switch));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of running threads failed");
}
xret = MESA_load_profile_string_nodef(config, "MAAT", "table_info", maat_t->info_path, 128);
if (xret < 0 && !rt_file_exsit( maat_t->info_path)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the table info failed or the (%s) does not exist",
maat_t->info_path);
goto finish;
}
if (maat_t->maat_json_switch == 1){
xret = MESA_load_profile_string_nodef(config, "MAAT", "pxy_obj_keyring", maat_t->pxy_path, 128);
if (xret < 0 && !rt_file_exsit(maat_t->pxy_path)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the pxy obj keyring failed or the (%s) does not exist",
maat_t->pxy_path);
goto finish;
}
}
if (maat_t->maat_json_switch == 0){
xret = MESA_load_profile_uint_nodef(config, "MAAT", "effective_interval", &(maat_t->effective_interval_s));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the interval of scan failed");
}
xret = MESA_load_profile_string_nodef(config, "MAAT", "inc_cfg_dir", maat_t->inc_cfg_dir, 128);
if (xret < 0 && !rt_file_exsit( maat_t->inc_cfg_dir)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the table info failed or the (%s) does not exist",
maat_t->inc_cfg_dir);
goto finish;
}
xret = MESA_load_profile_string_nodef(config, "MAAT", "full_cfg_dir", maat_t->full_cfg_dir, 128);
if (xret < 0 && !rt_file_exsit( maat_t->full_cfg_dir)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the table info failed or the (%s) does not exist",
maat_t->full_cfg_dir);
goto finish;
}
}
finish:
return xret;
}
void cert_store_init_config(const char *config)
{
load_system_config(config);
load_maat_config(config);
load_module_config(config);
load_module_config(certstore_policy, main_profile);
}

690
program/src/cert_session.cpp
View File

@@ -32,6 +32,8 @@
#include <openssl/engine.h>
#include <openssl/pkcs12.h>
#include <openssl/rsa.h>
#include <openssl/asn1.h>
#include <openssl/ossl_typ.h>
#include <event2/listener.h>
#include <event2/http.h>
@@ -61,6 +63,8 @@
static x509_forge_thread *threads;
CK_FUNCTION_LIST *funcs=NULL;
enum keypair_action
{
KEYPAIR_ACTION_REQ = 0,
@@ -681,108 +685,8 @@ finish:
return;
}
X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl, char *public_algo)
const EVP_MD* ssl_x509_set_md(const EVP_MD *md, EVP_PKEY *cakey, X509 *origcrt)
{
int rv;
X509 *crt = NULL;
EVP_PKEY* key = NULL;
X509_NAME *subject = NULL, *issuer = NULL;
if(!ssl_key_gen(&key, pkey, public_algo)){
goto err;
}
//subjectname,issuername
subject = X509_get_subject_name(origcrt);
issuer = X509_get_subject_name(cacrt);
if (!subject || !issuer)
return NULL;
crt = X509_new();
if (!crt)
return NULL;
//version,subjectname,issuername,serialnum,time,pubkey
if (!X509_set_version(crt, 0x02) ||
!X509_set_subject_name(crt, subject) ||
!X509_set_issuer_name(crt, issuer) ||
ssl_x509_set_serial(X509_get_serialNumber(crt)) == -1 ||
!X509_set_pubkey(crt, key))
goto errout;
if (*expire_time <= 0)
{
int day = 0, sec = 0;
ASN1_TIME_set(X509_get_notBefore(crt), ASN1_GetTimeT(X509_get_notBefore(origcrt)));
ASN1_TIME_set(X509_get_notAfter(crt), ASN1_GetTimeT(X509_get_notAfter(origcrt)));
ASN1_TIME_diff(&day, &sec, X509_get_notBefore(crt), X509_get_notAfter(crt));
*expire_time = MIN(sizeof_seconds(day) + sec, sizeof_seconds(1));
}
else
{
if(!X509_gmtime_adj(X509_get_notBefore(crt), (long)(0 - half_hours(*expire_time))) ||
!X509_gmtime_adj(X509_get_notAfter(crt), (long)(half_hours(*expire_time))))
{
goto errout;
}
*expire_time = half_hours(*expire_time);
}
EVP_PKEY_free(key);
//extensions
X509V3_CTX ctx;
X509V3_set_ctx(&ctx, cacrt, crt, NULL, NULL, 0);
if (ssl_x509_v3ext_add(&ctx, crt, "subjectKeyIdentifier",
"hash") == -1 ||
ssl_x509_v3ext_add(&ctx, crt, "authorityKeyIdentifier",
"keyid,issuer:always") == -1)
goto errout;
rv = ssl_x509_v3ext_copy_by_nid(crt, origcrt,
NID_basic_constraints);
if (rv == 0)
rv = ssl_x509_v3ext_add(&ctx, crt, "basicConstraints",
"CA:FALSE");
if (rv == -1)
goto errout;
rv = ssl_x509_v3ext_add(&ctx, crt, "keyUsage",
"digitalSignature,"
"keyEncipherment");
if (rv == -1)
goto errout;
rv = ssl_x509_v3ext_copy_by_nid(crt, origcrt,
NID_ext_key_usage);
if (rv == 0)
rv = ssl_x509_v3ext_add(&ctx, crt, "extendedKeyUsage",
"serverAuth");
if (rv == -1)
goto errout;
if (crlurl != NULL && strcasecmp(crlurl, "null")){
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Sign certificate the CRL is %s", crlurl);
char * crlurlval;
if (asprintf(&crlurlval, "URI:%s", crlurl) < 0)
goto errout;
if (ssl_x509_v3ext_add(&ctx, crt, "crlDistributionPoints", crlurlval) == -1)
{
free(crlurlval);
goto errout;
}
free(crlurlval);
}
/* no extraname provided: copy original subjectAltName ext */
if (ssl_x509_v3ext_copy_by_nid(crt, origcrt,
NID_subject_alt_name) == -1)
{
goto errout;
}
#ifdef DEBUG_CERTIFICATE
ssl_x509_v3ext_add(&ctx, crt, "nsComment", "Generated by " PKGLABEL);
#endif /* DEBUG_CERTIFICATE */
const EVP_MD *md;
switch (EVP_PKEY_type(EVP_PKEY_base_id(cakey))) {
#ifndef OPENSSL_NO_RSA
case EVP_PKEY_RSA:
@@ -868,10 +772,184 @@ X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, in
break;
#endif /* !OPENSSL_NO_ECDSA */
default:
md = NULL;
}
return md;
}
int pkcs11_signature_algotonid(unsigned long algo)
{
switch(algo)
{
case CKM_SHA1_RSA_PKCS:
return NID_sha1WithRSAEncryption;
case CKM_RSA_PKCS:
case CKM_SHA256_RSA_PKCS:
return NID_sha256WithRSAEncryption;
default:
break;
}
return 0;
}
int X509_pkcs11_sign(X509* x509, unsigned long pkcs11_signing_algo, CK_SESSION_HANDLE pkcs11_session)
{
int rv =0;
CK_OBJECT_HANDLE pkcs11_key_handle = 0;
// set signature algorithm in the certificate
const X509_ALGOR *tsig_alg_org = X509_get0_tbs_sigalg(x509);
X509_ALGOR *tsig_alg=const_cast<X509_ALGOR *>(tsig_alg_org);
if (tsig_alg)
{
const int signingAlgoNid = pkcs11_signature_algotonid(pkcs11_signing_algo);
X509_ALGOR_set0(tsig_alg, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL);
}
const X509_ALGOR *sig_alg_org;
X509_get0_signature(NULL, &sig_alg_org, x509);
X509_ALGOR *sig_alg=const_cast<X509_ALGOR *>(sig_alg_org);
if (sig_alg)
{
const int signingAlgoNid = pkcs11_signature_algotonid(pkcs11_signing_algo);
X509_ALGOR_set0(sig_alg, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL);
}
// DER-encode certificate
unsigned char *x509_der_buf;
const size_t x509_der_len = i2d_re_X509_tbs(x509, &x509_der_buf);
CK_MECHANISM mechanism = { pkcs11_signing_algo, NULL_PTR, 0 };
rv = funcs->C_SignInit(pkcs11_session, &mechanism, pkcs11_key_handle);
// determine signature size
CK_ULONG signature_size = 0;
rv= funcs->C_Sign(pkcs11_session, x509_der_buf, x509_der_len, NULL, &signature_size);
// sign
const ASN1_BIT_STRING *psig_org;
X509_get0_signature(&psig_org, NULL, x509);
ASN1_BIT_STRING *psig=const_cast<ASN1_BIT_STRING *>(psig_org);
if (psig->data)
OPENSSL_free(psig->data);
psig->data = (unsigned char*)OPENSSL_malloc(signature_size);
psig->length = signature_size;
rv = funcs->C_Sign(pkcs11_session, x509_der_buf, x509_der_len, psig->data, &signature_size);
psig->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
psig->flags|=ASN1_STRING_FLAG_BITS_LEFT;
OPENSSL_free(x509_der_buf);
return rv;
}
X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl, char *public_algo, CK_SESSION_HANDLE session)
{
int rv;
X509 *crt=NULL;
EVP_PKEY* key=NULL;
const EVP_MD *md=NULL;
X509_NAME *subject=NULL, *issuer=NULL;
if(!ssl_key_gen(&key, pkey, public_algo)){
goto err;
}
subject = X509_get_subject_name(origcrt);
issuer = X509_get_subject_name(cacrt);
if (!subject || !issuer)
return NULL;
crt = X509_new();
if (!crt)
return NULL;
if (!X509_set_version(crt, 0x02) ||
!X509_set_subject_name(crt, subject) ||
!X509_set_issuer_name(crt, issuer) ||
ssl_x509_set_serial(X509_get_serialNumber(crt)) == -1 ||
!X509_set_pubkey(crt, key))
goto errout;
if (*expire_time <= 0)
{
int day = 0, sec = 0;
ASN1_TIME_set(X509_get_notBefore(crt), ASN1_GetTimeT(X509_get_notBefore(origcrt)));
ASN1_TIME_set(X509_get_notAfter(crt), ASN1_GetTimeT(X509_get_notAfter(origcrt)));
ASN1_TIME_diff(&day, &sec, X509_get_notBefore(crt), X509_get_notAfter(crt));
*expire_time = MIN(sizeof_seconds(day) + sec, sizeof_seconds(1));
}
else
{
if(!X509_gmtime_adj(X509_get_notBefore(crt), (long)(0 - half_hours(*expire_time))) ||
!X509_gmtime_adj(X509_get_notAfter(crt), (long)(half_hours(*expire_time))))
{
goto errout;
}
*expire_time = half_hours(*expire_time);
}
EVP_PKEY_free(key);
X509V3_CTX ctx;
X509V3_set_ctx(&ctx, cacrt, crt, NULL, NULL, 0);
if (ssl_x509_v3ext_add(&ctx, crt, "subjectKeyIdentifier","hash") == -1 ||
ssl_x509_v3ext_add(&ctx, crt, "authorityKeyIdentifier","keyid,issuer:always") == -1)
goto errout;
rv = ssl_x509_v3ext_copy_by_nid(crt, origcrt, NID_basic_constraints);
if (rv == 0)
rv = ssl_x509_v3ext_add(&ctx, crt, "basicConstraints","CA:FALSE");
if (rv == -1)
goto errout;
rv = ssl_x509_v3ext_add(&ctx, crt, "keyUsage", "digitalSignature," "keyEncipherment");
if (rv == -1)
goto errout;
rv = ssl_x509_v3ext_copy_by_nid(crt, origcrt, NID_ext_key_usage);
if (rv == 0)
rv = ssl_x509_v3ext_add(&ctx, crt, "extendedKeyUsage","serverAuth");
if (rv == -1)
goto errout;
if (crlurl != NULL && strcasecmp(crlurl, "null")){
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Sign certificate the CRL is %s", crlurl);
char * crlurlval;
if (asprintf(&crlurlval, "URI:%s", crlurl) < 0)
goto errout;
if (ssl_x509_v3ext_add(&ctx, crt, "crlDistributionPoints", crlurlval) == -1)
{
free(crlurlval);
goto errout;
}
free(crlurlval);
}
/* no extraname provided: copy original subjectAltName ext */
if (ssl_x509_v3ext_copy_by_nid(crt, origcrt, NID_subject_alt_name) == -1)
{
goto errout;
}
#ifdef DEBUG_CERTIFICATE
ssl_x509_v3ext_add(&ctx, crt, "nsComment", "Generated by " PKGLABEL);
#endif /* DEBUG_CERTIFICATE */
if (ssl_x509_set_md(md, cakey, origcrt)==NULL)
{
goto errout;
}
if (!X509_sign(crt, cakey, md))
goto errout;
if(session==0)
{
if (!X509_sign(crt, cakey, md))
goto errout;
}
else
{
if(!X509_pkcs11_sign(crt, CKM_RSA_PKCS, session))
goto errout;
}
return crt;
errout:
@@ -956,9 +1034,7 @@ static
int redis_rsync_init(struct event_base *base, struct redisAsyncContext **cl_ctx)
{
int xret = -1;
struct config_bucket_t *redis = cfg_instanec();
*cl_ctx = redisAsyncConnect(redis->addr_t.store_ip, redis->addr_t.store_port);
*cl_ctx = redisAsyncConnect(g_certstore_policy->store_ip, g_certstore_policy->store_port);
if((*cl_ctx)->err ) {
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Redis Connect error : %s", (*cl_ctx)->errstr);
goto finish;
@@ -1120,13 +1196,11 @@ static struct pxy_obj_keyring* get_obj_for_id(int keyring_id)
{
struct pxy_obj_keyring *pxy_obj=NULL;
struct config_bucket_t *rte = cfg_instanec();
char cfg_id_str[16] = {0};
snprintf(cfg_id_str, sizeof(cfg_id_str), "%d", keyring_id);
int tables_id = rte->table_id;
pxy_obj = (struct pxy_obj_keyring*)Maat_plugin_get_EX_data(rte->feather, tables_id, (const char*)cfg_id_str);
int tables_id = g_certstore_policy->plolicy_table_id[POLICY_PROFLIE_TABLE_KERING];
pxy_obj = (struct pxy_obj_keyring*)Maat_plugin_get_EX_data(g_certstore_policy->feather, tables_id, (const char*)cfg_id_str);
return pxy_obj;
}
@@ -1139,15 +1213,13 @@ static int x509_online_append(struct x509_object_ctx *def, struct tfe_http_reque
X509 *cacrt = NULL; EVP_PKEY *cakey = NULL;
char *v3_ctl=NULL, *public_algo=NULL;
struct config_bucket_t *rte = cfg_instanec();
if (is_valid == 0 && keyring_id != 0) keyring_id = 0;
if (is_valid == 1 && keyring_id == 0) keyring_id = 1;
struct pxy_obj_keyring *pxy_obj = get_obj_for_id(keyring_id);
if (NULL == pxy_obj)
{
if (!rte->local_debug)
if (!g_certstore_policy->local_debug)
{
if (1==is_valid) pxy_obj = get_obj_for_id(1);
if (0==is_valid) pxy_obj = get_obj_for_id(0);
@@ -1165,7 +1237,7 @@ static int x509_online_append(struct x509_object_ctx *def, struct tfe_http_reque
{
cacrt = (is_valid == 1) ? def->root : def->insec_root;
cakey = (is_valid == 1) ? def->key : def->insec_key;
expire_time = cfg_instanec()->expire_after;
expire_time = g_certstore_policy->expire_after;
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Warning: Use local keypair, sign cert!!!");
goto modify;
}
@@ -1173,10 +1245,13 @@ static int x509_online_append(struct x509_object_ctx *def, struct tfe_http_reque
if(pxy_obj->use_hsm)
{
cacrt = (is_valid == 1) ? def->root : def->insec_root;
cakey = (is_valid == 1) ? def->key : def->insec_key;
expire_time = cfg_instanec()->expire_after;
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Warning: HSM is not supported, use local keypair, sign cert!!!");
if(pxy_obj->session==0)
{
cacrt = (is_valid == 1) ? def->root : def->insec_root;
cakey = (is_valid == 1) ? def->key : def->insec_key;
expire_time = g_certstore_policy->expire_after;
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Warning: HSM is not connected, use local keypair, sign cert!!!");
}
goto modify;
}
if (!STRCMP(pxy_obj->keyring_type, "end-entity"))
@@ -1199,7 +1274,7 @@ static int x509_online_append(struct x509_object_ctx *def, struct tfe_http_reque
expire_time = pxy_obj->expire_time;
*stack_ca = pxy_obj->stack_ca;
modify:
x509 = ssl_x509_forge(cacrt, cakey, request->origin, pkey, &expire_time, v3_ctl, public_algo);
x509 = ssl_x509_forge(cacrt, cakey, request->origin, pkey, &expire_time, v3_ctl, public_algo, pxy_obj->session);
if (!x509){
goto finish;
}
@@ -1261,7 +1336,6 @@ rediSyncCommand(redisContext *sync, struct tfe_http_request *request, char *odat
int xret = -1;
redisReply *reply;
struct config_bucket_t *config = cfg_instanec();
x509_forge_thread *thread = threads + request->thread_id;
struct evhttp_request *evh_req = request->evh_req;
@@ -1278,7 +1352,7 @@ rediSyncCommand(redisContext *sync, struct tfe_http_request *request, char *odat
case '$' :
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Writing data(%s) to redis failed", request->rkey);
fp_stat_latency(request->create_time, KEYPAIR_ACTION_SQL);
if (config->mode){
if (g_certstore_policy->mode){
redisAsyncCommand(thread->cl_ctx, redis_reget_callback, request, "GET %s", request->rkey);
}else{
redis_sync_reget_callback(request, sync);
@@ -1363,8 +1437,7 @@ static int web_json_table_add(char *privatekey, char *sign, char **digital_certi
return 0;
}
static int
redis_clnt_pdu_send(struct tfe_http_request *request)
static int redis_clnt_pdu_send(struct tfe_http_request *request)
{
#define MAX_CHAIN_LEN 6
int xret = -1, i = 0;
@@ -1722,7 +1795,6 @@ void http_get_cb(struct evhttp_request *evh_req, void *arg)
struct evbuffer * evbuf_body = NULL;
char *input = NULL; ssize_t inputlen=0;
x509_forge_thread *info = (x509_forge_thread *)arg;
struct config_bucket_t *config = cfg_instanec();
if (evhttp_request_get_command(evh_req) != EVHTTP_REQ_POST) {
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "FAILED (post type)");
@@ -1763,7 +1835,7 @@ void http_get_cb(struct evhttp_request *evh_req, void *arg)
}
FS_operate(g_FP_instance.handle, g_FP_instance.line_ids[KEYPAIR_ACTION_REQ], 0, FS_OP_ADD, 1);
xret = get_keypair_cache(info, request, config->mode);
xret = get_keypair_cache(info, request, g_certstore_policy->mode);
if (xret >= 0)
{
goto finish;
@@ -1777,11 +1849,10 @@ finish:
int redis_sync_init(struct redisContext **c)
{
int xret = -1;
struct config_bucket_t *redis = cfg_instanec();
struct timeval timeout = { 1, 500000 }; // 1.5 seconds
*c = redisConnectWithTimeout(redis->addr_t.store_ip, redis->addr_t.store_port, timeout);
*c = redisConnectWithTimeout(g_certstore_policy->store_ip, g_certstore_policy->store_port, timeout);
if (*c == NULL || (*c)->err) {
if (*c) {
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Sync connection error: %s", (*c)->errstr);
@@ -1801,10 +1872,9 @@ static int
worker_private_init(struct event_base *base, x509_forge_thread *thread)
{
int xret = -1;
struct config_bucket_t *config = cfg_instanec();
/* Initialize the redis connection*/
if (config->mode)
if (g_certstore_policy->mode)
{
xret = redis_rsync_init(base, &thread->cl_ctx);
if (xret < 0 || !thread->cl_ctx){
@@ -1817,10 +1887,10 @@ worker_private_init(struct event_base *base, x509_forge_thread *thread)
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Initialize the sync redis connection is failure");
}
if (config->local_debug)
if (g_certstore_policy->local_debug)
{
/* Initialize the X509 CA*/
xret = x509_key_pair_init(config->ca_path, &thread->def.key, &thread->def.root);
xret = x509_key_pair_init(g_certstore_policy->ca_path, &thread->def.key, &thread->def.root);
if (xret < 0 || !(thread->def.key) || !(thread->def.root))
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the x509 certificate");
@@ -1828,7 +1898,7 @@ worker_private_init(struct event_base *base, x509_forge_thread *thread)
}
/* Initialize the insec CA*/
xret = x509_key_pair_init(config->uninsec_path, &thread->def.insec_key, &thread->def.insec_root);
xret = x509_key_pair_init(g_certstore_policy->uninsec_path, &thread->def.insec_key, &thread->def.insec_root);
if (xret < 0 || !(thread->def.key) || !(thread->def.root))
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the insec x509 certificate");
@@ -1868,7 +1938,7 @@ static void *pthread_worker_libevent(void *arg)
bound = evhttp_accept_socket_with_handle(http, thread_ctx->accept_fd);
if (bound != NULL) {
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Bound(%p) to port %d - Awaiting connections ... ", bound,
cfg_instanec()->addr_t.e_port);
g_certstore_policy->e_port);
}
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Work thread %u is run...", thread_ctx->id);
@@ -2002,7 +2072,7 @@ redis_link_detection(uint32_t __attribute__((__unused__)) uid,
x509_forge_thread *info = NULL;
x509_forge_thread *threads = (x509_forge_thread *)argv;
unsigned int thread_nu = cfg_instanec()->thread_nu;
unsigned int thread_nu = g_certstore_policy->thread_nu;
for (tid = 0; tid < (int)thread_nu; tid++) {
info = threads + tid;
if(info->sync == NULL){
@@ -2015,7 +2085,7 @@ redis_link_detection(uint32_t __attribute__((__unused__)) uid,
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "[%d]trying to connect sync redis success", tid);
}
if(cfg_instanec()->mode)
if(g_certstore_policy->mode)
{
xret = redis_rsync_init(info->base, &info->cl_ctx);
if (xret < 0 || !info->cl_ctx){
@@ -2028,21 +2098,20 @@ redis_link_detection(uint32_t __attribute__((__unused__)) uid,
}
}
static int
keyring_server_init()
static int keyring_server_init(struct cert_store_policy *certstore_policy)
{
int xret = -1;
unsigned int tid = 0;
x509_forge_thread *thread = NULL;
uint32_t tm_link_detetion = 0;
unsigned int thread_nu = cfg_instanec()->thread_nu;
unsigned int thread_nu = certstore_policy->thread_nu;
/* Create a new evhttp object to handle requests. */
struct sockaddr_in sin;
memset(&sin, 0, sizeof(struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_port = htons(cfg_instanec()->addr_t.e_port);
sin.sin_port = htons(g_certstore_policy->e_port);
evutil_socket_t accept_fd = evhttp_listen_socket_byuser((struct sockaddr*)&sin, sizeof(struct sockaddr_in), LEV_OPT_REUSEABLE_PORT|LEV_OPT_CLOSE_ON_FREE, -1);
if (accept_fd < 0)
{
@@ -2114,9 +2183,7 @@ void sigproc(int __attribute__((__unused__))sig)
unsigned int tid = 0;
x509_forge_thread *thread = NULL;
struct config_bucket_t *rte = cfg_instanec();
for (tid = 0; tid < rte->thread_nu; tid++)
for (tid = 0; tid < g_certstore_policy->thread_nu; tid++)
{
thread = threads + tid;
if (thread->sync)
@@ -2131,12 +2198,15 @@ void sigproc(int __attribute__((__unused__))sig)
exit(1);
}
static int mesa_fiel_stat_init()
static int field_stat_init(struct cert_store_policy *certstore_policy, const char *profile)
{
int value=0, i=0;
int value=0, i=0, statsd_port=0;
char statsd_server[46]={0};
char stat_path[128] ={0}, pname[32]={0};
struct _initer_addr_t *addr_t = &(cfg_instanec()->addr_t);
MESA_load_profile_string_def(profile, "stat", "statsd_server", statsd_server, sizeof(statsd_server), "");
MESA_load_profile_int_def(profile, "stat", "statsd_port", &(statsd_port), 0);
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Filed initiate from %s:%d.", statsd_server, statsd_port);
g_FP_instance.favorite=FS_CALC_CURRENT;
strcpy(g_FP_instance.histogram_bins, FP_HISTOGRAM_BINS);
@@ -2155,10 +2225,10 @@ static int mesa_fiel_stat_init()
FS_set_para(fs, CREATE_THREAD, &value, sizeof(value));
value=2;
FS_set_para(fs, STAT_CYCLE, &value, sizeof(value));
if(strlen(addr_t->statsd_server)>0 && addr_t->statsd_port!=0)
if(strlen(statsd_server)>0 && statsd_port!=0)
{
FS_set_para(fs, STATS_SERVER_IP, addr_t->statsd_server, strlen(addr_t->statsd_server)+1);
FS_set_para(fs, STATS_SERVER_PORT, &(addr_t->statsd_port), sizeof(addr_t->statsd_port));
FS_set_para(fs, STATS_SERVER_IP, statsd_server, strlen(statsd_server)+1);
FS_set_para(fs, STATS_SERVER_PORT, &(statsd_port), sizeof(statsd_port));
}
FS_set_para(fs, HISTOGRAM_GLOBAL_BINS, g_FP_instance.histogram_bins, strlen(g_FP_instance.histogram_bins)+1);
@@ -2186,15 +2256,58 @@ static int mesa_fiel_stat_init()
return 0;
}
void keyring_table_new_cb(int __attribute__((__unused__))table_id, const char __attribute__((__unused__))*key,
const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__))argl, void __attribute__((__unused__))* argp)
static struct pxy_profile_hsm* get_profile_by_id(int profile_id)
{
struct pxy_profile_hsm* ply_profile=NULL;
char cfg_id_str[16] = {0};
snprintf(cfg_id_str, sizeof(cfg_id_str), "%d", profile_id);
int table_id = g_certstore_policy->plolicy_table_id[POLICY_PROFILE_TABLE_HSM];
ply_profile = (struct pxy_profile_hsm*)Maat_plugin_get_EX_data(g_certstore_policy->feather, table_id, (const char*)cfg_id_str);
return ply_profile;
}
CK_SESSION_HANDLE keyring_pkcs11_login(int slot_id)
{
int ret=0;
CK_FLAGS flags;
CK_SESSION_HANDLE session=0;
struct pxy_profile_hsm* ply_profile = get_profile_by_id(0);
if(ply_profile == NULL || funcs->C_OpenSession==NULL)
{
goto error;
}
flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
ret = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &session);
if(ret)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "hsm_sdk open session faild, error : %d", ret);
goto error;
}
ret = funcs->C_Login(session, CKU_USER, (CK_UTF8CHAR_PTR)ply_profile->passwd, strlen(ply_profile->passwd));
if(ret)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "hsm_sdk login faild, error : %d", ret);
goto error;
}
return session;
error:
if(session)
{
funcs->C_CloseSession(session);
}
return 0;
}
void keyring_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
{
int ret=0, slot_id=-1;
int include_root=0, is_valid=0;
char profile_name[CT_ARRARY_LEN]={0};
char private_file[CT_STRING_MAX] = {0}, public_file[CT_STRING_MAX]={0};
char __attribute__((__unused__))_priv_file[CT_PATH_MAX] = {0};
char __attribute__((__unused__))_publi_file[CT_PATH_MAX] = {0};
int ret=0;
struct pxy_obj_keyring *pxy_obj = NULL;
pxy_obj = (struct pxy_obj_keyring *)malloc(sizeof(struct pxy_obj_keyring));
@@ -2208,7 +2321,7 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__)
ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d\t%d\t%d\t%d", &pxy_obj->keyring_id, profile_name,
pxy_obj->keyring_type, private_file, public_file, &pxy_obj->expire_time, pxy_obj->public_algo,
pxy_obj->v3_ctl, &pxy_obj->is_send, &pxy_obj->use_hsm, &pxy_obj->slot_id, &pxy_obj->is_valid);
pxy_obj->v3_ctl, &include_root, &pxy_obj->use_hsm, &slot_id, &is_valid);
if(ret!=12)
{
kfree(pxy_obj);
@@ -2218,7 +2331,7 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__)
pxy_obj->op_time = time(NULL);
/*Load PUBLICKEY***/
if ((pxy_obj->issuer = x509_get_root_ca(public_file, pxy_obj->is_send, pxy_obj->keyring_type, &pxy_obj->stack_ca)) == NULL ){
if ((pxy_obj->issuer = x509_get_root_ca(public_file, include_root, pxy_obj->keyring_type, &pxy_obj->stack_ca)) == NULL ){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 publickey failed, the keyring id is %d",
pxy_obj->keyring_id);
goto finish;
@@ -2227,12 +2340,16 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__)
if(pxy_obj->use_hsm == 0)
{
/*Load PRIVATEKEY**/
if ((pxy_obj->key = cert_load_key(private_file)) == NULL){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 privatekey failed, the keyring id is %d",
pxy_obj->keyring_id);
if ((pxy_obj->key = cert_load_key(private_file)) == NULL)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 privatekey failed, the keyring id is %d", pxy_obj->keyring_id);
goto finish;
}
}
else
{
pxy_obj->session = keyring_pkcs11_login(slot_id);
}
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "initialize the x509 certificate, the keyring id is %d",
pxy_obj->keyring_id);
@@ -2254,21 +2371,19 @@ long __attribute__((__unused__))argl, void __attribute__((__unused__))*argp)
*((struct pxy_obj_keyring**)to)=pxy_obj;
}
int maat_table_ex_init(const char* table_name,
int maat_table_ex_init(const char* table_name,int profile_id,
Maat_plugin_EX_new_func_t* new_func,
Maat_plugin_EX_free_func_t* free_func,
Maat_plugin_EX_dup_func_t* dup_func)
{
int table_id = 0;
struct config_bucket_t *rte = cfg_instanec();
table_id= rte->table_id = Maat_table_register(rte->feather, table_name);
table_id= g_certstore_policy->plolicy_table_id[profile_id] = Maat_table_register(g_certstore_policy->feather, table_name);
if(table_id<0)
{
goto finish;
}
table_id=Maat_plugin_EX_register(rte->feather,
table_id=Maat_plugin_EX_register(g_certstore_policy->feather,
table_id,
new_func,free_func,
dup_func,NULL,0,NULL);
@@ -2276,65 +2391,234 @@ finish:
return table_id;
}
int maat_feather_init()
#define MAAT_INPUT_JSON 1
#define MAAT_INPUT_REDIS 2
#define MAAT_INPUT_FILE 0
static Maat_feather_t create_maat_feather(const char *profile, const char *section, int max_thread)
{
int ret = -1;
Maat_feather_t feather = NULL;
int scan_interval_ms = 1000;
Maat_feather_t target;
int input_mode = 0;
int ret = 0, effect_interval = 60;
char table_info[CT_STRING_MAX] = {0}, inc_cfg_dir[CT_STRING_MAX] = {0}, ful_cfg_dir[CT_STRING_MAX] = {0};
char redis_server[CT_STRING_MAX] = {0};
char redis_port_range[CT_STRING_MAX] = {0};
char accept_tags[CT_STRING_MAX] = {0};
char accept_path[CT_PATH_MAX] = {0};
int redis_port_begin = 0, redis_port_end = 0;
int redis_port_select = 0;
int redis_db_idx = 0;
char json_cfg_file[CT_STRING_MAX] = {0};
struct config_bucket_t *rte = cfg_instanec();
struct ntc_maat_t *maat_t = &rte->maat_t;
MESA_load_profile_int_def(profile, section, "maat_json_switch", &(input_mode), 0);
MESA_load_profile_string_def(profile, section, "table_info", table_info, sizeof(table_info), "");
MESA_load_profile_string_def(profile, section, "accept_path", accept_path, sizeof(accept_path), "");
MESA_load_profile_string_def(profile, section, "pxy_obj_keyring", json_cfg_file, sizeof(json_cfg_file), "");
MESA_load_profile_string_def(profile, "MAAT_REDIS", "ip", redis_server, sizeof(redis_server), "");
MESA_load_profile_string_def(profile, "MAAT_REDIS", "port", redis_port_range, sizeof(redis_server), "6379");
MESA_load_profile_int_def(profile, "MAAT_REDIS", "dbindex", &(redis_db_idx), 0);
MESA_load_profile_string_def(profile, section, "inc_cfg_dir", inc_cfg_dir, sizeof(inc_cfg_dir), "");
MESA_load_profile_string_def(profile, section, "full_cfg_dir", ful_cfg_dir, sizeof(ful_cfg_dir), "");
MESA_load_profile_int_def(profile, section, "effective_interval", &(effect_interval), 60);
int effective_interval_ms = maat_t->effective_interval_s * 1000;
effect_interval *= 1000; //convert s to ms
feather = Maat_feather(rte->thread_nu, maat_t->info_path, logging_sc_lid.run_log_handle);
Maat_set_feather_opt(feather, MAAT_OPT_INSTANCE_NAME, "certstore", strlen("certstore") + 1);
if (maat_t->maat_json_switch == 1){
Maat_set_feather_opt(feather, MAAT_OPT_JSON_FILE_PATH, maat_t->pxy_path, strlen(maat_t->pxy_path)+1);
target = Maat_feather(max_thread, table_info, logging_sc_lid.run_log_handle);
Maat_set_feather_opt(target, MAAT_OPT_INSTANCE_NAME, "certstore", strlen("certstore") + 1);
switch (input_mode)
{
case MAAT_INPUT_JSON:
Maat_set_feather_opt(target, MAAT_OPT_JSON_FILE_PATH, json_cfg_file, strlen(json_cfg_file) + 1);
break;
case MAAT_INPUT_REDIS:
ret = sscanf(redis_port_range, "%d-%d", &redis_port_begin, &redis_port_end);
if (ret == 1)
{
redis_port_select = redis_port_begin;
}
else if (ret == 2)
{
srand(time(NULL));
redis_port_select = redis_port_begin + rand() % (redis_port_end - redis_port_begin);
}
Maat_set_feather_opt(target, MAAT_OPT_REDIS_IP, redis_server, strlen(redis_server) + 1);
Maat_set_feather_opt(target, MAAT_OPT_REDIS_PORT, &redis_port_select, sizeof(redis_port_select));
Maat_set_feather_opt(target, MAAT_OPT_REDIS_INDEX, &redis_db_idx, sizeof(redis_db_idx));
break;
case MAAT_INPUT_FILE:
Maat_set_feather_opt(target, MAAT_OPT_FULL_CFG_DIR, ful_cfg_dir, strlen(ful_cfg_dir) + 1);
Maat_set_feather_opt(target, MAAT_OPT_INC_CFG_DIR, inc_cfg_dir, strlen(inc_cfg_dir) + 1);
break;
default:
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Invalid MAAT Input Mode: %d.", input_mode);
goto error_out;
}
if (maat_t->maat_json_switch == 0){
Maat_set_feather_opt(feather, MAAT_OPT_FULL_CFG_DIR, maat_t->full_cfg_dir, strlen(maat_t->full_cfg_dir)+1);
Maat_set_feather_opt(feather, MAAT_OPT_INC_CFG_DIR, maat_t->inc_cfg_dir, strlen(maat_t->inc_cfg_dir)+1);
}
if (maat_t->maat_json_switch == 2){
Maat_set_feather_opt(feather, MAAT_OPT_REDIS_IP, rte->addr_t.maat_ip, strlen(rte->addr_t.maat_ip)+1);
Maat_set_feather_opt(feather, MAAT_OPT_REDIS_PORT, &rte->addr_t.maat_port, sizeof(rte->addr_t.maat_port));
Maat_set_feather_opt(feather, MAAT_OPT_REDIS_INDEX, &rte->addr_t.dbindex, sizeof(rte->addr_t.dbindex));
Maat_set_feather_opt(target, MAAT_OPT_FOREIGN_CONT_DIR, "./foreign_files/", strlen("./foreign_files/") + 1);
Maat_set_feather_opt(target, MAAT_OPT_EFFECT_INVERVAL_MS, &effect_interval, sizeof(effect_interval));
if (strlen(accept_path) > 0)
{
MESA_load_profile_string_def(accept_path, "maat", "ACCEPT_TAGS", accept_tags, sizeof(accept_tags), "{\"tags\":[{\"tag\":\"device_id\",\"value\":\"device_1\"}]}");
Maat_set_feather_opt(target, MAAT_OPT_ACCEPT_TAGS, &accept_tags, sizeof(accept_tags));
mesa_runtime_log(RLOG_LV_INFO, "accept tags : %s", accept_tags);
}
Maat_set_feather_opt(feather, MAAT_OPT_SCANDIR_INTERVAL_MS,&scan_interval_ms, sizeof(scan_interval_ms));
Maat_set_feather_opt(feather, MAAT_OPT_EFFECT_INVERVAL_MS,&effective_interval_ms, sizeof(effective_interval_ms));
/***/
const char* foregin_dir="./foreign_files/";
Maat_set_feather_opt(feather, MAAT_OPT_FOREIGN_CONT_DIR,foregin_dir, strlen(foregin_dir)+1);
ret = Maat_initiate_feather(feather);
if (ret < 0)
{
ret = Maat_initiate_feather(target);
if (ret < 0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "%s MAAT init failed.", __FUNCTION__);
}
rte->feather = feather;
goto error_out;
}
return target;
error_out:
Maat_burn_feather(target);
return NULL;
}
int table_id = maat_table_ex_init("PXY_PROFILE_KEYRING",
keyring_table_new_cb,
keyring_table_free_cb,
keyring_table_dup_cb);
void hsm_profile_table_start_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
{
int ret=0, profile_id=0, is_valid=0;
char server_type[128]={0};
char ip[46]={0}, passwd[128] = {0};
char effective_range[256] = {0};
ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%d", &profile_id, server_type, ip, passwd, effective_range, &is_valid);
if(ret!=6)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Policy table parse config failed: %s", table_line);
return;
}
/*Whether to take effect**/
struct pxy_profile_hsm* ply_profile = (struct pxy_profile_hsm*)kmalloc(sizeof(struct pxy_profile_hsm), MPF_CLR, -1);
ply_profile->profile_id=profile_id;
ply_profile->ref_cnt=1;
pthread_mutex_init(&(ply_profile->lock), NULL);
ply_profile->server_ip=strdup(ip);
ply_profile->passwd=strdup(passwd);
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Policy table add success %d", profile_id);
*ad = ply_profile;
return;
}
void hsm_profile_table_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp)
{
struct pxy_profile_hsm* ply_obj=(struct pxy_profile_hsm*)(*from);
pthread_mutex_lock(&(ply_obj->lock));
ply_obj->ref_cnt++;
pthread_mutex_unlock(&(ply_obj->lock));
*to=ply_obj;
}
void hsm_profile_table_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp)
{
if(*ad==NULL)
{
return;
}
struct pxy_profile_hsm* ply_obj=(struct pxy_profile_hsm*)(*ad);
if(ply_obj==NULL)
{
return;
}
pthread_mutex_lock(&(ply_obj->lock));
ply_obj->ref_cnt--;
if(ply_obj->ref_cnt>0)
{
pthread_mutex_unlock(&(ply_obj->lock));
return;
}
pthread_mutex_unlock(&(ply_obj->lock));
pthread_mutex_destroy(&(ply_obj->lock));
kfree(&ply_obj->server_ip);
kfree(&ply_obj->passwd);
kfree(&ply_obj);
*ad=NULL;
return;
}
int maat_feather_init(struct cert_store_policy *certstore_policy, const char *main_profile)
{
int table_id = 0;
certstore_policy->feather = create_maat_feather(main_profile, "maat", certstore_policy->thread_nu);
if(!certstore_policy->feather)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "%s MAAT init failed.", __FUNCTION__);
return 0;
}
table_id = maat_table_ex_init("PXY_PROFILE_KEYRING", POLICY_PROFLIE_TABLE_KERING, keyring_table_new_cb, keyring_table_free_cb, keyring_table_dup_cb);
if(table_id<0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "certstore register table PXY_PROFILE_KEYRING failed");
}
table_id = maat_table_ex_init("PXY_PROFILE_HSM", POLICY_PROFILE_TABLE_HSM, hsm_profile_table_start_cb, hsm_profile_table_free_cb, hsm_profile_table_dup_cb);
if(table_id<0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Register table PXY_PROFILE_HSM failed");
return 0;
}
field_stat_init(certstore_policy, main_profile);
return 0;
}
int cert_store_session_init()
int do_user_GetFunctionList(void)
{
mesa_fiel_stat_init();
return FC_GetFunctionList(&funcs);
}
maat_feather_init();
int pkcs11_module_init(struct cert_store_policy *certstore_policy, const char *main_profile)
{
int xret=0;
char library_path[256]={0};
CK_C_INITIALIZE_ARGS cinit_args;
keyring_server_init();
MESA_load_profile_uint_nodef(main_profile, "certex_hsm", "enable", &(certstore_policy->enable));
MESA_load_profile_string_def(main_profile, "certex_hsm", "library_path", library_path, sizeof(library_path), "");
if(certstore_policy->enable == 0)
{
goto finish;
}
xret=LoadPkcsLib(library_path);
if(xret!=0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Load %s failed", library_path);
goto finish;
}
xret = do_user_GetFunctionList();
if(xret!=0 || funcs->C_Initialize==NULL)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Get function list failed, errro = %d",xret);
goto finish;
}
memset(&cinit_args, 0x0, sizeof(cinit_args));
cinit_args.flags = CKF_OS_LOCKING_OK;
xret = funcs->C_Initialize(&cinit_args);
if(xret!=0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Function Initialize failed");
}
finish:
return xret;
}
int cert_store_session_init(struct cert_store_policy *certstore_policy, const char *main_profile)
{
maat_feather_init(certstore_policy, main_profile);
pkcs11_module_init(certstore_policy, main_profile);
keyring_server_init(certstore_policy);
return 0;
}

51
program/src/cert_store.cpp
View File

@@ -12,14 +12,15 @@
#include <unistd.h>
#include "rt_string.h"
#include "rt_stdlib.h"
#include "rt_common.h"
#include <cert_conf.h>
#include <cert_session.h>
#include "cert_conf.h"
#include "cert_session.h"
#include "logging.h"
#include <MESA/MESA_prof_load.h>
#define CERT_BASIC_CFG "./conf/cert_store.ini"
struct cert_store_policy * g_certstore_policy = NULL;
/* VERSION STRING */
#ifdef TARGET_GIT_VERSION
@@ -39,33 +40,18 @@ enum syslog_display_format{
FORMAT_SYSLOG
};
static
void cert_store_preview ()
static void cert_store_preview()
{
struct config_bucket_t *rte = cfg_instanec();
printf("\r\nBasic Configuration of CertStore \n");
printf("%30s:%45s\n", "Run Mode", (rte->mode == 1)?"async":"sync");
printf("%30s:%45d\n", "The Threads", rte->thread_nu);
printf("%30s:%45s\n", "Store Redis Ip", rte->addr_t.store_ip);
printf("%30s:%45d\n", "Store Redis Port", rte->addr_t.store_port);
printf("%30s:%45s\n", "Maat Redis Ip", rte->addr_t.maat_ip);
printf("%30s:%45d\n", "Maat Redis Port", rte->addr_t.maat_port);
printf("%30s:%45d\n", "Maat Redis index", rte->addr_t.dbindex);
printf("%30s:%45d\n", "Libevent Port", rte->addr_t.e_port);
printf("%30s:%45s\n", "Cert Path", rte->ca_path);
printf("%30s:%45s\n", "Uninsec cert Path", rte->uninsec_path);
printf("%30s:%45s\n", "Run Mode", (g_certstore_policy->mode == 1)?"async":"sync");
printf("%30s:%45d\n", "The Threads", g_certstore_policy->thread_nu);
printf("%30s:%45s\n", "Store Redis Ip", g_certstore_policy->store_ip);
printf("%30s:%45d\n", "Store Redis Port", g_certstore_policy->store_port);
printf("%30s:%45d\n", "Libevent Port", g_certstore_policy->e_port);
printf("%30s:%45s\n", "Cert Path", g_certstore_policy->ca_path);
printf("%30s:%45s\n", "Uninsec cert Path", g_certstore_policy->uninsec_path);
printf("%30s:%45s\n", "Log Directory", logging_sc_lid.run_log_path);
printf("%30s:%45s\n", "Table Info", rte->maat_t.info_path);
if (rte->maat_t.maat_json_switch == 1){
printf("%30s:%45s\n", "Pxy Obj Keyring", rte->maat_t.pxy_path);
}
if (rte->maat_t.maat_json_switch == 0){
printf("%30s:%45d\n", "Scan Interval", rte->maat_t.effective_interval_s);
printf("%30s:%45s\n", "Full Cfg Path", rte->maat_t.full_cfg_dir);
printf("%30s:%45s\n", "Inc Cfg Path", rte->maat_t.inc_cfg_dir);
}
printf("\r\n");
}
@@ -93,6 +79,8 @@ void __signal_handler_cb(int sig)
int main(int argc, char **argv)
{
int opt = 0;
const char * main_profile = "./conf/cert_store.ini";
while ((opt = getopt(argc, argv, "v")) != -1)
{
switch (opt)
@@ -104,9 +92,13 @@ int main(int argc, char **argv)
break;
}
}
cert_store_syslog_init(CERT_BASIC_CFG, version());
cert_store_init_config(CERT_BASIC_CFG);
g_certstore_policy = (struct cert_store_policy *) kmalloc (sizeof(struct cert_store_policy), MPF_CLR, -1);
assert(g_certstore_policy);
cert_store_syslog_init(main_profile, version());
cert_store_init_config(g_certstore_policy, main_profile);
cert_store_preview();
@@ -116,8 +108,7 @@ int main(int argc, char **argv)
{
signal(signals[i], __signal_handler_cb);
}
cert_store_session_init();
cert_store_session_init(g_certstore_policy, main_profile);
return 0;
}

4
resource/conf/cert_store.ini
View File

@@ -58,3 +58,7 @@ dbindex = 4
statsd_server=192.168.10.72
statsd_port=8126
[certex_hsm]
enable=0
library_path=lib/libcertex-rcsp_r.so.v.3.0.40.2

22
resource/conf/pxy_obj_keyring.json
View File

@@ -73,18 +73,18 @@
{
"table_name": "PXY_PROFILE_KEYRING",
"table_content": [
"0\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-v3-untrust-ca.pem\t/home/fengweihao/tool/test_cert/root/tango-ca-v3-untrust-ca.pem\t0\trsa1024\tNULL\t1\t1\t2019112101\t",
"11\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-v3-trust-ca.pem\t//home/fengweihao/tool/test_cert/root/tango-ca-v3-trust-ca.pem\t0\trsa1024\tNULL\t0\t1\t2019112102\t",
"0\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-v3-untrust-ca.pem\t/home/fengweihao/tool/test_cert/root/tango-ca-v3-untrust-ca.pem\t0\trsa1024\tNULL\t1\t0\t1\t1\t2019112101\t",
"11\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-v3-trust-ca.pem\t//home/fengweihao/tool/test_cert/root/tango-ca-v3-trust-ca.pem\t0\trsa1024\tNULL\t0\t0\t1\t\t1\t2019112102\t",
"1\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-key.pem\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-cer.pem\t24\trsa2048\tNULL\t0\t1\t20191121990\t",
"3\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-key.pem\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-cer.pem\t30\trsa4096\tNULL\t1\t1\t2019112102\t",
"9\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-01-key.pem\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-01-cer.pem\t30\trsa1024\tNULL\t1\t1\t2019112104\t",
"8\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-01-key.pem\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-ca-l1-cert.pem\t30\trsa1024\tNULL\t1\t1\t2019112105\t",
"12\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2.key\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2-v2-v1-ca.cer\t30\trsa1024\tNULL\t0\t1\t20191106\t",
"13\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2.key\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2-ca-v1-v2.cer\t30\trsa1024\tNULL\t0\t1\t20191107\t",
"4\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2.key\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2-v1-ca-v2.cer\t30\trsa1024\tNULL\t0\t1\t20191108\t",
"5\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/ca01-mle-key.pem\t/home/fengweihao/tool/test_cert/Intermediate/ca01-mle.pem\t30\trsa4096\tNULL\t1\t1\t20191108\t",
"10\tname_01\tend-entity\t/home/fengweihao/tool/test_cert/end-entity/tang-ca-v3-www.bing.com-key.pem\t/home/fengweihao/tool/test_cert/end-entity/tang-ca-v3-www.bing.com-cer.pem\t30\trsa4096\tNULL\t0\t1\t20191107\t"
"1\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-key.pem\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-cer.pem\t24\trsa2048\tNULL\t0\t0\t1\t1\t20191121990\t",
"3\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-key.pem\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-cer.pem\t30\trsa4096\tNULL\t1\t0\t1\t1\t2019112102\t",
"9\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-01-key.pem\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-01-cer.pem\t30\trsa1024\tNULL\t1\t0\t1\t1\t2019112104\t",
"8\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-01-key.pem\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-ca-l1-cert.pem\t30\trsa1024\tNULL\t1\t0\t1\t1\t2019112105\t",
"12\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2.key\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2-v2-v1-ca.cer\t30\trsa1024\tNULL\t0\t0\t1\t1\t20191106\t",
"13\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2.key\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2-ca-v1-v2.cer\t30\trsa1024\tNULL\t0\t0\t1\t1\t20191107\t",
"4\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2.key\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2-v1-ca-v2.cer\t30\trsa1024\tNULL\t0\t0\t1\t1\t20191108\t",
"5\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/ca01-mle-key.pem\t/home/fengweihao/tool/test_cert/Intermediate/ca01-mle.pem\t30\trsa4096\tNULL\t1\t0\t1\t1\t20191108\t",
"10\tname_01\tend-entity\t/home/fengweihao/tool/test_cert/end-entity/tang-ca-v3-www.bing.com-key.pem\t/home/fengweihao/tool/test_cert/end-entity/tang-ca-v3-www.bing.com-cer.pem\t30\trsa4096\tNULL\t0\t0\t1\t1\t20191107\t"
]
}
]

1
resource/conf/table_info.conf
View File

@@ -18,3 +18,4 @@
1 COMPILE compile
2 GROUP group
3 PXY_PROFILE_KEYRING plugin {"key":1,"valid":12,"foreign":"4,5"}
4 PXY_PROFILE_HSM plugin {"key":1,"valid":6}